Remote Access VPN on 500H

Hi @IVS,

I understand you're encountering a "remote server is not responding" error when setting up a remote access IPsec VPN on your USG FLEX 500H using Windows VPN, despite configuring it in Nebula and downloading the setup. This typically indicates an issue with the VPN server's accessibility or configuration.

Here's a step-by-step guide to troubleshoot this:

1. Verify NAT Traversal Configuration:

   • If your USG FLEX 500H is behind a NAT device or ISP gateway (receiving a private IP), you must configure NAT Traversal (NAT-T). Log in to the uOS web interface of your firewall, navigate to VPN > IPSec VPN > Remote Access VPN settings, and enter your public IP address or DDNS hostname in the NAT Traversal field.
   • After enabling NAT-T, redownload the VPN configuration file and verify that the server address shows the public IP or DDNS.

2. Check Nebula and Local Configuration Sync:

   • Ensure that the configuration on Nebula and your local firewall are in sync. If the download button for the VPN configuration script is greyed out in Nebula, it indicates a synchronization issue.

3. Review IPsec VPN Settings:

   • IKEv2 Requirement: The USG FLEX H series primarily supports IKEv2 for Remote Access VPN.
   • Phase 1 & 2 Parameters: For Windows VPN, ensure your Phase 1 and Phase 2 encryption and authentication settings are correctly configured. For USG FLEX H models, configure Phase 1 Encryption and Authentication to AES256/SHA256 DH2/DH14/DH21, and Phase 2 Encryption and Authentication to AES256/SHA256 with Perfect Forward Secrecy (PFS) set to None.
   • VPN Zone Security: Ensure the VPN tunnel is correctly integrated into your network's security policies. With uOS version 1.20 and later, you can automatically add the VPN tunnel to its respective security zone during VPN setup.

4. Security Policy:

   • Verify that your firewall security policies allow traffic from the VPN subnet to your internal network. If unsure, temporarily disable related security policies to test connectivity.

5. User Authentication:

   • Confirm that the cloud authentication user you created has VPN access enabled. If you created the user from the Cloud Authentication User Page in Nebula, ensure "Allow user to use Remote Access VPN" is enabled.

To help us further investigate, please provide the following information:

• Firmware Version of your USG FLEX 500H.
• Network Topology Diagram: A simple diagram showing your firewall, ISP connection, and the client attempting to connect.
• Screenshots of your IPsec VPN Remote Access settings in both Nebula and the local GUI, particularly the Phase 1, Phase 2, and NAT Traversal configurations.
• Zyxel Support Access: To enable our support team to directly view your cloud environment configuration and expedite troubleshooting, please enable Zyxel Support Access through the Nebula control panel (Help > Support Request). Please also provide your Organization and Site name.