Skip To Search Skip To Main Content

Latest Firmware

Loading

Download the latest firmware to insure that your products have all the recent functionality.

Loading
There was an error finding the selected product

Support Information

Latest Firmware

Download the latest firmware to insure that your products have all the recent functionality.

Loading
Loading
  • All Material

Loading

RMA

Please enter your contact details before requesting an RMA

Click here to edit your profile

Loading

Copyright © 2016 Zyxel Communications Corp. All Rights Reserved.

Follow Us

Manage Favorite Products

How to configure IPSec Site to Site VPN while one Site is behind a NAT router (kb id: 015405) - en-GB

This example shows how to use the VPN Setup Wizard to create a IPSec Site to Site VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while one Site is behind a NAT router. When the IPSec Site to Site VPN tunnel is configured, each site can be accessed securely. Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG110 (Firmware Version: ZLD 4.15) and ZyWALL 310 (Firmware Version: ZLD 4.15).            

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ)

1     In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next.

Figure 1   Quick Setup > VPN Setup Wizard > Welcome

2     Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next.

Figure 2   Quick Setup > VPN Setup Wizard > Wizard Type

3     Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.

Figure 3   Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)

4     Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.30.40). Then, type a secure Pre-Shared Key (8-32 characters).

Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).

Figure 4   Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)

5     This screen provides a read-only summary of the VPN tunnel. Click Save.

Figure 5   Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)

6     Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.

Figure 6  Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed

7     Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.

Figure 7  CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type

 

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch)

 

1     In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next.

Figure 8   Quick Setup > VPN Setup Wizard > Welcome

2     Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next.

Figure 9   Quick Setup > VPN Setup Wizard > Wizard Type

3     Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.

Figure 10   Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)

4     Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.20.30). Then, type a secure Pre-Shared Key (8-32 characters).

Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).

Figure 11   Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)

5     This screen provides a read-only summary of the VPN tunnel. Click Save.

Figure 12   Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)

6     Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.

Figure 13  Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed

7     Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.

Figure 14  CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type

 

Set Up the NAT Router (Using ZyWALL USG device in this example)         

1     Go to CONFIGURATION > Network > NAT > Add. Select the Incoming Interface on which packets for the NAT rule must be received. Specified the User-Defined Original IP field and Type the translated destination IP address that this NAT rule supports.

Figure 15  CONFIGURATION > Network > NAT > Add

2     Go to CONFIGURATION > Security Policy > Policy Control. IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:

IP protocol = 50 → Used by data path (ESP)

IP protocol = 51 → Used by data path (AH)

UDP Port Number = 500 → Used by IKE (IPSec control path)

UDP Port Number = 4500 → Used by NAT-T (IPsec NAT traversal)

Figure 16  CONFIGURATION > Security Policy > Policy Control

Test the IPSec VPN Tunnel

1     Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.

Figure 17  CONFIGURATION > VPN > IPSec VPN > VPN Connection

1     Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic.

Figure 18  MONITOR > VPN Monitor > IPSec

2     To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices).

Figure 19  PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33

Figure 20  PC behind ZyWALL/USG (Branch) > Window 7 > cmd > ping 10.10.10.33

What Could Go Wrong?

1      If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.

Figure 21  MONITOR > Log

2      If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.

Figure 22  MONITOR > Log

3      Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.

4      Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.

 

 

Rating: 1 Votes 1 Yes Votes 100% voted yes
Was this answer helpful?
Provide Feedback on this Topic
Topic Information
  • Topic #: 30062-56698
  • Date Created: 06/23/2016
  • Last Updated: 06/23/2016
  • Viewed: 2474
Related [PRODUCTS]
  • USG110
  • USG1100
  • USG1900
  • USG210
  • USG310
  • USG60
  • ZyWALL 110
  • ZyWALL 1100
  • ZyWALL 310
How to configure IPSec Site to Site VPN while one Site is behind a NAT router (kb id: 015405) - en-GB
! ! ! !

Topic 30062-56698

How to configure IPSec Site to Site VPN while one Site is behind a NAT router (kb id: 015405) - en-GB