IPSec VPN Client-To-Site IKE2 50H behind NAT

ITS · June 23

Hi all,

it's my first time on new firmware, I'm trying to create a IKE2 IPSec behind nat. I've tryed all config but always error. Please advice.

WAN1 10.20.30.2

LAN1 10.10.10.X

VPN Address Pool : 192.168.50.0/24

on log file you can read all my try. Please let me know.

Thank you very much for your help.

Bye

log-ipsec-2025_06_23.xlsx

PeterUK · June 23

Are you using the VPN Configuration Download for the client?

Because your WAN is 10. do not use Interface option for Incoming Interface use Domain Name / IP as 0.0.0.0 and NAT Traversal your WAN IP or Domain Name then disable enable VPN and download the new VPN script.

Zyxel_Tina · June 24

Hi @ITS,

Based on the logs, we can confirm that your device is receiving VPN connection attempts and that IKEv2 negotiation has started. However, the log also shows multiple NO_PROP (no proposal chosen) errors and IKE_AUTH requests without successful responses. This suggests a mismatch between the VPN client and the Zyxel device configurations.

First, could you please confirm if your network topology matches the image below?

In this scenario, please refer to the following FAQ to configure your firewall correctly:

USG FLEX H Series - NAT Traversal Support for IPSec Remote Access VPN — Zyxel Community

If these settings do not resolve the issue, please send us your device’s diagnostic information file via private message. This will allow us to better understand your configuration and assist you further. Instructions on how to collect the file can be found in the following article:

How to collect diag-info from web GUI for USG FLEX H series? — Zyxel Community

IPSec VPN Client-To-Site IKE2 50H behind NAT

All Replies

Categories

Security Help Center