Errors in the Most Recent USG FLEX Series User's Guide?
Freshman Member
I am trying to set up a client-to-site VPN to connect IOS devices to my USG FLEX 200H security device. I am using a custom setting as defined in Section 12.3.2 of Version 1.3.1 Edition 1 of the User's Guide. The firmware for the router is V1.31 (ABWV.0)
The VPN type is Policy-Based. My Address is the ge1(WAN) interface. The Peer Gateway Address is dynamic. The Authentication is Pre-Shared Key. The Phase 1 Settings are AES256/SHA256/DH19. The Phase 1 VPN seems to complete successfully based on the log entries.
The Phase 2 IKE_AUTH Response fails with message "generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]". My issue with the most recent version of the USG FLEX Series User's Guide is that the Phase 2 Policy Protocol expects an Active Protocol input (ESP in this case) and an Encapsulation input (TUNNEL in this case). I can find no way to provide the inputs in version 1.31 (ABWV.0). I have used a Zyxel client-to-site VPN configured as a Remote Access VPN previously, so I am confident the problem is not with my IOS devices.
Since there is a conflict between the User's Guide and the Firmware, how should I proceed?
All Replies
-
Hi @Analyteks,
Please reference this FAQ to fix this issue:
For the User's Guide, I will ask our team to update the content. Sorry for the inconvenience.
Zyxel Melen0 -
Zyxel Melen,
Thank you for the quick reply. In addition to not being able to choose a TUNNEL in the IKEv2 Phase 2 setup, there is no ability to choose a TUNNEL as the source address for a Policy Route where the Incoming would be a TUNNEL and Source Address would be the IKEv2 Tunnel that is created when the Client-to-Site VPN is configured per Section 12.3.2 of the User's Guide. Did part of the firmware referencing tunnels get deleted when the firmware was updated to ABWV.0?
0 -
Hi @Analyteks,
Before answering this question, may I clarify some information?
The first question is "In addition to not being able to choose a TUNNEL in the IKEv2 Phase 2 setup"? Do you mean this option in ZLD?
The second is "there is no ability to choose a TUNNEL as the source address for a Policy Route where the Incoming would be a TUNNEL and Source Address would be the IKEv2 Tunnel that is created when the Client-to-Site VPN is configured per Section 12.3.2 of the User's Guide."? Do you mean you want to have a configuration that the client-to-site VPN can access other site-to-site VPN's site by policy route?
Zyxel Melen0 -
Zyxel Meren,
Yes. It was part of the IKEv2 VPN setup on my EOL ZYWALL 110 device. With the most recent USG FLEX 200H firmware, I cannot find any reference to a TUNNEL. It is not an INTERFACE option. It is not an option when I try to configure a Policy Route. How does the Policy Route know that the path runs through a TUNNEL where the data and routing information are encapsulated with encryption to a user-specified level?
Thank you for your continued response.
0 -
Hi @Analyteks,
Currently, Policy Route only supports set with route-based VPN tunnels.
May I know if you need any help configuring route-based VPN and the related policy route? You can send me a private message with your scenario and topology.
Zyxel Melen0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 155 Nebula Ideas
- 103 Nebula Status and Incidents
- 5.9K Security
- 314 USG FLEX H Series
- 285 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 256 Service & License
- 398 News and Release
- 85 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.7K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 78 Security Highlight
