vpn ipsec

IDK which device is your router and if that rule works as you expect.
You can try this series instead.
Port forward router:
external IP    protocol     external port    Internal IP internal     port network     enabled IP
xxx               TCP           443                   192.168.1.254          443                  all
xxx               UDP          500                   192.168.1.254           500                  all
xxx               UDP          1701                 192.168.1.254           1701                all
xxx               UDP          4500                 192.168.1.254           4500                all
Port U 1701 is for L2TP
Also, not knowing how the router works, consider to verify alternatively if there's someting like DMZ or firewall rules.

Then on your USG20-VPN should be present Security policies that allow connection to 3 of these ports for provisioning from WAN to Zywall (T 443, U 500, U4500) and the IPSec gateway MUST be NAT-Traversal enabled.

Current software (5.30) won't like that much full world access to administration/provisioning port, so write down at least some small group of geo-ip allowed nations to access T 443 and all other ports.
Consider as alternative to change the default T 443 to something customized, but adapt port forwarding to the same port after changin that in USG20-VPN.