phphil  Freshman Member

@Zyxel_James That's a huge draw back in my opinion, will this be developed/implemented in the future? PeterUK tested the other option (security policy + user control) to isolate traffic of different types of users/customers , and seems to not work currently. What could be the solution without waiting for future…

Yes, we set it up that way, it seems there is no option to obtain the same result on the USG FLEX 500H, should we isolate the traffic using security policy per user group? or there is a better approach in your opinion?

No, all on the same gateway interface (WAN IP) We believe the firewall differentiate each connection by the encryption parameters (different on each VPN gateway and connection) Peer id type is set to "Any" for each one of the VPN gateway

on the ATP500, ATP200, and previously on USG500 Under Configuration > VPN > IPSec VPN 1)we simply created multiple "VPN Gateway", defining individual settings as : certificate encryption parameters Extended Autentication Protocol > Allowed method > Server Mode > Allowed User : and specifing only a specific group of user is…

Thank you for the answer PeterUK, just to confirm if I got it right, it is not possible to have multiple client to site VPN tunnels on FLEX H? and I should look into achieving this using zyxel vpn client (secuextender)? Thank you

They don't belong to AD, they are simple users like: They doesn't have two-factor Authentication enabled. Second question has an answer on the original post: May 20 10:30:06 atp500 CEF: 0|ZyXEL|ATP500|5.30(ABFU.0)|0|IKE|4|devID=bccf4fc520d6 src=<SOURCE_IP> dst=<DEST_IP> spt=4500 dpt=4500 dvchost=atp500 msg=AUTH fail!…

I collected the required informations: 1. 2. I cannot provide the firewall configuration due to internal security policy. 3. Temporarily locked meaning: After a certain time the accounts will start to work again. I've just tested, some accounts were locked before reboot, and are still locked now after a reboot performed…

Solved: according to this [SOLVED] Watchguard SSL and L2TP/IPSEC VPN always drop at set time - Spiceworks Windows native VPN client has a timeout every 7.6hr which trigger a rekey, this rekey fails. On the firewall, decreasing the SA Life of Phase 1 (Gateway settings) to a value < than 7.6hr will solve the issue since the…

In my case it is set to 24h (86400) on both phase 1 and 2 Must be something else, thank you anyway : ) 

I've noticed later on, that all the VPN tunnels won't work anymore after adding the Routing rule. The rule work perfectly for fixing the main issue, but it interfere with the VPN connections. The VPN connections are configured to use the OPT interface already, so I don't really see why the tunnel goes down as soon as I…

Thank you PeterUK, your suggestion worked perfectly!

Thank you for the suggestion, I'm trying to understand if I'm looking at the correct configuration, I go under Configuration > Network > Routing (tab) > Add (button) But the config parameters are different than the one you listed 

I'm sorry i'm not really understanding, I should create a Configuration > Security Policy > Policy Control rule with action=deny for request leaving our network and going to this specific website But we already have a similar rule which drop all connections on UDP443 in order to disable QUIC protocol, why it doesn't allow…

Many thanks for your reply, it was very helpful. I was able to capture the "Server Hello" and indeed the GCM is there. That this is an issue on the zywall firmware? There is there anything I can do in order to enable SSL inspection AND allowing this specific website to work correctly, without loosing security everywhere? I…

Thank you, Some parameters was changed, apparently from the firmware update solved