zyman2008  Master Member

Hi @mMontana, If you have multiple Aggressive mode gateway (phase 1) rule. local-id is the attribute that used to identify the different gateway (phase 1) rule. By default, the local-id is IP address of interface of the gateway rule. In your case, you can setup local-id of gateway 9 rule. (ex. type: DNS, value=string1) In…

Hi @firerabbit, My USG110 4.73 works fine with the GeoIP settings. Maybe you can using filter in Policy control page to check if any other rule allow the UDP 500, 4500 traffic to your USG.

Hi firerabbit, 1. First, create a country address object. (1) Go to Object > Address/Geo IP > Address. (2) Click Add, in the pop-up window give a name for the object. Ex. US, DE, NL ... (3) Address type select GEOGRAPHY. And region select your country. 2. Edit the default WAN to ZyWALL Security policy, change the Source…

Hi @AntonKotikov, Form the log, the Linux sent IKEv1, 3DES, MD5, DH2 to USG. But you setup DES, MD5, DH2 in USG. So that it mismatch in Phase 1.

To trouble shoot the packets between VPN tunnel. 1. On USG, using CLI to monitor packet in/out the IPSec VTI tunnel. # packet-trace interface <VTI tunnel interface> ip-proto icmp 2. ping 10.1.0.101 from host in your office. 3. Check the packet monitor. If you get ping request to 10.1.0.101 -> USG do sent the ping to Azure…

Hi @asiawatcher, If you don't set the DNS server point to the DNS server in central site. Then each branch site will use its own local DNS server. And that guide didn't include the steps about this part. So don't worry if you follow the guide to setup.

Hi @Teooo43, First, you need to make sure the switch model you get support send syslog to your Wazuh SIEM server. Then, you can go to GUI of the switch to check log message that your want to monitor. Copy log message from switch GUI and paste it to the wazuh-logtest to go through the default decoder.…

Hi @AWUSupport, Try to disable Traffic Statistics, BWM, ADP function, might help to get a little improve. 

I think Android support both aggressive and main mode for L2TP/IPSec PSK. But depends on the design of phone vendors. Here my experiences on Samsung phones from Android 9 ~ 11. The settings of "IPSec identifier" change the L2TP/IPSec IKE mode it used. * Without "IPSec identifier" settings - IKE negotiate via Main mode. *…

Hi @valerio_vanni, First, the configuration on your USG the phase 1 mode should be "Main" mode not "Aggressive mode". Second, the Windows native L2TP/IPSec client using 3DES/SHA1/DH2 encryption by default.…

Hi @USG_User, It's better to setup a temporary WAN interface (IP: get via DHCP) on FLEX700. And create another LAN interface/subnet on USG110 with DHCP server enabled. Then connect it to the temporary interface port of FLEX700. This prevent the routing conflict with USG110 LAN1 subnet, once you setup current LAN1 subnet to…

Here my point of view, There no option to disable the CF page in Zyxel firewall. Even though it has this option. It'll cause other kind of support call for you. Since users will get a blank page said, "ERR_CONNECTION ..." To set the "Unrated" web page action to "Pass" can decrease the chance to block unknow sites and…

Hi @NEP, Add these policy routes for ZyWALL to ZyWALL through policy-base IPSec VPN. SiteA Routing Incoming - ZyWALL Destination - vpn20 (192.168.20.0/24) Next-Hop - vpn20 SiteB Routing Incoming - ZyWALL Destination - vpn10 (192.168.10.0/24) Next-Hop - vpn10

I think the guide is a bit outdated. And it's for the case client need to manual configure static IP. There're two IPSec VPN solution that can offer IP address from VPN server to VPN client, 1. IKEv1…

Hi @mbsouth, If you offer VPN client an IP address from 192.168.20.0/24. Then the return route will be treat as local direct route by USG. And the traffic won't go back to the VPN client. You need to change the IP Pool for VPN client to another subnet other than 192.168.20.0/24.