USG Flex H series - Remote VPN no longer works since v1.36

Hi @Amcomp,

I understand you're encountering an issue with remote VPN access after upgrading your USG FLEX 200H to firmware v1.36, specifically that while the VPN connects, you can only access and ping the USG itself, and local resources are unreachable. This indicates a routing problem, and split tunneling also isn't functioning as expected.

Based on the changes in routing for policy-based VPNs in the USG FLEX H series, particularly with firmware updates, here are some steps and considerations to help resolve this:

Initial Solution:

• Policy Route Configuration for VPN Tunnels: For policy-based VPNs, the USG FLEX H series requires defining policy routes with VPN tunnel interfaces as the next hop. Ensure these are correctly configured for your remote VPN clients.

  • Navigate to Network > Routing > Policy Route.
  • Add a new policy route and select the VPN Interface (VTI) as the next hop interface.
  • If you're using a conventional subnet for your VTI, ensure it's not a link-local address (like 169.254.X.X), as these can cause routing issues.

• Policy Control Rules: In firmware v1.36, additional policy control rules are needed to allow traffic through the VPN tunnel.

  • Go to Security Policy > Policy Control.
  • Add rules to allow the VPN source/destination subnets. This is crucial because encrypted traffic might otherwise be blocked by the default deny rule.

• Split Tunneling Configuration:

  • For IPSec VPN, when setting up the remote access VPN, ensure "Split Tunnel" is selected and the allowed local network resources are correctly specified.
  • If you're using the Zyxel VPN Client (TGB Client), when configuring RemoteAccess, ensure Split Tunnel is picked and the accessible networks are specified.
  • If using OpenVPN, and if you are using full tunnel mode and require split tunnel, you may need to modify the .ovpn file by removing the "redirect-gateway" directive and adding specific routes for your desired split tunnel destination IP ranges.
  • For Windows native VPN clients, you can modify the VPN configuration file to enable multiple split tunnels by setting SplitTunneling=$True and adding multiple destination subnets.

• VPN Zone Security: Ensure your VPN tunnel is correctly assigned to its respective security zone. If a tunnel is not correctly assigned to a zone, traffic will not be allowed.

Information Collection Guide:

To further assist you, please provide the following details:

• Firmware Version: While you mentioned v1.36, please confirm the exact firmware version (e.g., v1.36(ABFH.0)).
• Network Topology: A simple diagram or description of your network setup, including where the USG FLEX 200H is located and the subnet of your local resources.

• Screenshots:

  • Your current Remote Access VPN configuration (IPSec VPN settings).
  • Screenshots of your Policy Route entries, especially those related to the VPN.
  • Screenshots of your Security Policy > Policy Control rules.
  • The routing table from a connected VPN client (route print command on Windows).

• VPN Client Details: What specific Windows VPN client are you using (e.g., Zyxel SecuExtender, native Windows IKEv2 client, OpenVPN client)?

• Zyxel Support Access (Nebula): If your USG FLEX 200H is managed by Nebula, please enable Zyxel Support Access.
  • Navigate to Help > Support Request in the Nebula console.
  • Please provide your Organization and Site name. This will allow the Zyxel support team to directly view your cloud environment configuration, significantly shortening troubleshooting time.