QuiteSmart  Freshman Member

Hello @Zyxel_JudyH , may you give me more info about the new feature CLI created to enable "Drop TCP SYN packets with data". Optimize URL Threat Filter/Content Filter scan flow to avoid unnecessary inspections. in which cases zyxel suggest to enable it? How to do it? TY

Thanks Zyxel!!

I tried with no-ip.com and sslforfree.com. I created a ddns and connected it in the zywall but when i go to sssforfree.com i don't know how to verificate my domain (email, cname or http file upload are the options). Would you be so kind to write a walktru (i don't mind which providers, anyone is ok) thanks @PeterUK

i made a check about the different certificates that one can create and as you said legacy USG40 (all of them can be selected in IPSEC config): RSA-SHA256; RSA-SHA512; DSA-SHA256 ATP100 (only the first three can be selected in IPSEC config) RSA-SHA256; RSA-SHA512; DSA-SHA256; ECDSA-SHA256; ECDSA-SHA384 Why the two ECDSA…

which DDNS provider would you reccomend?

LITTLE STEP AHEAD: giving a precise read to what I pasted in the previous post i understood that somehow windows sends a request for AES256 and DH14 (MODP 2048 bit is actually DH14). As mentioned before I was quite sure to had set AES128 and DH12 for the phase 1 by powershell cmdlet, but it seems that Windows doesn't take…

Hello @PeterUK thank you for you reply: CERTIFICATE: from object/certificate/my certificate i sent by email the certificate WITH (p12) and WITHOUT (crt) private key to the client. On the windows client I installed the .p12 and.crt files (local computer, trusted root certification authorities) DDNS: as for ddns i don't mind…

Hello, i'm having a problem in phase 1 (logs on zywall say say proposal mismatch ) this in brief is my configuration on this IKEv2 vpn: phase 1: encryption AES128, authentication SHA256, DH DH2 phase 2: encryption AES128, authentication SHA256, PFS None THE cmdlet that i'm using in windows 10 is:…

your post is gold!

Try using strongSwan app it has great logs. IF you get no proposal chosen i suggest to check that encryption, authentication and Diffie Hellman Groups are the same between the zywall and the endpoint. As for DH Groups consider that while on legacy USG serie you can choose only one group on the ATP and USG flex series you…

Hello, this is a little offtopic: can anyone of Zyxel update this support page to version 1.20? (it is the table of features comparision between uOS and classic firmware)…

Hello @Born2Shine as of today SSL VPNs are free: the client is called SecuExtender as the IPSec Client but it is a totally different application. You can download it here: https://download.zyxel.com/SecuExtender_VPN_Client/software/SecuExtender%20VPN%20Client_SSL_VPN_Client_4.0.5.0.zip This one to be clear: Please note…

still looking for possibile configuration in Windows I found that to enable DES and MD5 one has to edit a registry key (not reccomanded for security concerns): from you can disable weak crypto for L2TP by editing the following registry value: HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowL2TPWeakCrypto The…

I would like to convert this post to the best practices for L2TP over IPSec… which combination of phase 1 proposals, DH and phase 2 proposals pfs do you all use? which is the minimum security level that you would use? what about an aggressive negotiation? anyone uses tunnel instead of transport with windows client?

Thank you @zyman2008 i didn't install the app so far but it seems an useful tool to use before resetting a smartphone.