-
Setup Guide - IKEv2 VPN from Ubuntu 24.04 to an USGFLEX 200H
Here's a step-by-step installation and configuration guide for setting up an IKEv2 VPN client on a clean Ubuntu 24.04 system, using EAP-MS-CHAPv2 authentication and a split-tunnel configuration, with working ping to the Zyxel Firewall's LAN and internet preserved. The Zyxel USG FLEX configuration is identical to the one…
-
Policy-Based VPN with Policy Routes – Advanced Control for Multi-Subnet Environments
USG FLEX H Series Firewall continues to offer flexible VPN deployment options with support for Policy-Based VPN using Policy Routing. While route-based VPNs are commonly used in modern deployments, policy-based VPNs still hold value for scenarios involving specific subnet-to-subnet communication and USG FLEX/ATP firewall…
-
VPN Failover and Fallback – Enhanced Redundancy for Site-to-Site Tunnels
USG FLEX H Series Firewall now supports VPN Failover and Fallback - a powerful enhancement that ensures high availability in site-to-site VPN deployments. This feature enables firewalls to automatically switch to a backup VPN tunnel when the primary connection fails and revert back once the primary is restored. In this…
-
How to configure L2TP VPN on USG FLEX H on Nebula?
Question: How to configure L2TP VPN on USG FLEX H on Nebula? "Client Access VPN" is missing from Firewall settings. Answer: L2TP VPN is not supported on the USG FLEX H series. USG FLEX H support IKEv2 for Remote Access VPN configuration. You can configure IPSec VPN (IKEv2) instead. If you are using the Nebula platform,…
-
Does the Nebula firewall need to be licensed to allow VPN client connectivity?
Question: Does the Nebula firewall need to be licensed to allow VPN client connectivity? Answer: We offer Remote Access VPN (IKEv2) and SSL VPN (OpenVPN). Only the SecuExtender VPN client software requires a license for client access.
-
[2025 July Notification] SecuExtender Perpetual Version Vulnerability
Dear Valued Users, We would like to inform you that the SecuExtender VPN client with the perpetual version IPSec_3.8.204.61.32 will soon be removed from our official website due to a reported security vulnerability related to legacy Windows 7 environments. Under certain conditions, this vulnerability may allow unauthorized…
-
NAT Over IPSec VPN in uOS 1.31
The NAT Over IPSec VPN feature in uOS 1.31 allows network administrators to use Network Address Translation (NAT) inside an IPSec VPN tunnel. This is crucial for: This feature is now available for policy-based VPNs, while route-based VPNs have already supported NAT in previous versions. 1. Type of Types of NAT Over IPSec…
-
[ATP/FLEX] Why can't non-Nebula VPNs set the VPN tunnel interface?
Question : Why can't non-Nebula VPNs set the VPN tunnel interface? As shown below, there is no VPN tunnel interface field. Answer : The non-Nebula VPN only supports the VPN tunnel interface in IKEv2. Please select IKEv2. Then, set the VPN tunnel interface information.
-
[ATP/FLEX] How to resolve the IP conflict issue between the LAN and VPN IP ranges?
Question : How to resolve the IP conflict issue between the LAN and VPN IP ranges?For instance, the LAN1 IP range is 192.168.0.0/16, but the user wants to set the VPN range to 192.168.50.0/24. Answer : Please change the VPN private IP range to resolve the issue. For instance, the user can configure 10.10.10.0/24 as the…
-
Why can't the SecuExtender obtain the VPN provisioning file from the firewall using an AD account?
Question : Why can't SecuExtender obtain the VPN provisioning file from the firewall using an AD account, resulting in the error message 'Authentication Failed: Wrong Login/Password'? Answer : There are two possible reasons: The user entered the wrong password when retrieving the VPN provisioning file. The user selected…
-
How do I manually add a VPN profile on an iPhone for an IKEv2 VPN connection with Nebula Firewall?
Question : How do I manually add a VPN profile on an iPhone for an IKEv2 VPN connection with Nebula Firewall? Answer : The user can not only import the .mobileconfig file downloaded from the firewall to the iPhone's IKEv2 VPN connection but also manually add an IKEv2 VPN profile on the iPhone. For example, the steps below…
-
Cannot connect Remote VPN deplopyed by mobileconfig since iOS18
Symptom: You cannot connect Remote VPN which deployed by mobileconfig since iOS18, You have to create VPN profile manually as alternative Workaround: 1)edit mobileconfig by notepad Find the following lines <key>LocalIdentifier</key> <string></string> and change to <key>LocalIdentifier</key> <string>Zyxel</string>
-
USG FLEX H Series - NAT Traversal Support for IPSec Remote Access VPN
With the latest uOS firmware update, Zyxel's H Series firewalls now support NAT Traversal (NAT-T) for IPSec Remote Access VPNs. This feature is essential for devices deployed behind a NAT or firewall, allowing them to maintain a stable VPN connection when the device itself is assigned a private IP. Why NAT Traversal is…
-
How to trace IPsec log?
Scenario: You have IPSec VPN problem, It may be disconnection or traffic problem, Please collect the following information to Zyxel Support Maintenance > Diagnostics > Network Tool 1)Network Tool: IPsec Trace Log , click "Start" 2)Try to replicate issue or wait the issue happened then stop 3)Download the "ipsecvpn.log" and…
-
How to Configure IKEv2 VPN for macOS 15 on old USG/ZyWALL series?
Question: What are the settings for configuring IKEv2 VPN on macOS 15 (Sequoia) using Zyxel USG40 and other USG/ZyWALL using firmware 4.73 patch 2? Answer: To set up IKEv2 VPN for macOS 15 (Sequoia) with the Zyxel USG40 and other USG/ZyWALL devices, use the following configurations: Phase 1 (Gateway) Encryption Algorithm:…
-
Why can't I establish a VPN connection after updating to iOS 18? How can I resolve this issue?
Question : Why can't I establish an IKEv2 VPN connection after updating to iOS 18? How can I resolve this issue? Answer : Since there are changes to the VPN Phase 1 and Phase 2 parameters for iOS's native VPN client, please modify them accordingly to allow the remote VPN to work. USG Flex/ATP firewall model settings:…
-
How to avoid unexpected routing issues when enabling both IPsec VPN and L2TP VPN simultaneously?
Scenario : The user may need to enable both IPsec VPN and L2TP VPN remote settings simultaneously. How can unexpected routing issues be avoided when enabling both IPsec VPN and L2TP VPN at the same time? Answer : STEP1. Navigate to Site-wide > Configure > Firewall > Remote access VPN STEP2.Please ensure their Client VPN…
-
How to establish an VPN connection with the USG Lite 60 AX by the macOS Sonoma native VPN client?
Question : How to establish the VPN connection with the USG Lite 60 AX by the macOS Sonoma native VPN client? Answer : This article will guide you on how to establish an IKEv2 VPN connection with the USG Lite 60 AX using the macOS Sonoma native VPN client. Navigate to Site-wide> Configure > Cloud authentication > To add a…
-
How to establish an VPN connection with a Nebula firewall by the macOS Sonoma native VPN client?
Question : After updating to macOS Sonoma, if you cannot establish an IKEv2 VPN connection with the Nebula firewall, how do you resolve this problem? Answer : Since there are changes to the VPN Phase 1 and Phase 2 parameters for macOS Sonoma's native VPN client, please modify them accordingly to allow the remote VPN to…
-
Why can't I ping servers over VPN when IKEv2 VPN is established on SecuExtender?
Question: IKEv2 VPN is established on SecuExtender. However, I cannot ping the gateway IP of USG FLEX or servers in LAN. Answer: Review the Two-Factor Authentication (2FA) settings:* Navigate to Object > Auth. Method > Two-Factor Authentication > VPN Access. * Check if 2FA is enabled for all VPN services and users. * If…