VPN - Configure IPSec Site-to-Site VPN behind a NAT router

The article provides a step-by-step guide on setting up an IPSec site-to-site VPN tunnel using the VPN Setup Wizard on ZyWALL/USG devices. It explains how to configure the VPN tunnel between two sites, including one behind a NAT router, ensuring secure access. The process involves using the VPN Settings wizard to create a VPN rule with default phase settings, configuring secure gateway IPs, and setting local and remote policies. It also covers verification steps to test the tunnel's functionality and addresses potential issues that may arise, such as mismatched settings or security policy configurations.

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ)

1. In the ZyWALL/USG use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next.

Quick Setup > VPN Setup Wizard > Welcome

2. Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next.

Quick Setup > VPN Setup Wizard > Wizard Type

3. Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.

Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)

4. Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.30.40). Then, type a secure Pre-Shared Key (8-32 characters).

Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).

Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration)

5. This screen provides a read-only summary of the VPN tunnel. Click Save.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) 

6. Now the rule is configured on the ZyWALL/USG. The Phase rules settings will appear in here

Phase 1: VPN > IPSec VPN > VPN Gateway Phase 2: VPN > IPSec VPN > VPN Connection Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed 

7. Configure Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.

CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type

Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch)

1. In the ZyWALL/USG use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate. Click Next.

Quick Setup > VPN Setup Wizard > Welcome 

2. Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next.

Quick Setup > VPN Setup Wizard > Wizard Type

3. Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next.

Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) 

4. Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.20.30). Then, type a secure Pre-Shared Key (8-32 characters).

Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
 

Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) 

5. This screen provides a read-only summary of the VPN tunnel. Click Save.

Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary)

6. Now the rule is configured on the ZyWALL/USG. The Phase rules settings will appear in here

Phase 1 : VPN > IPSec VPN > VPN Gateway Phase 2: VPN > IPSec VPN > VPN Connection Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed

7. Configure Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.

CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type 

Set Up the NAT Router (Using ZyWALL USG device in this example)

Note: These settings should be applied only if one of your firewalls is behind a NAT. These settings should be configured on the NAT Router positioned before your firewall, which could be your ISP router or the main router in your office network. Below, we provide an example using one of our devices—this is for reference purposes only.

1. Select the Incoming Interface on which packets for the NAT rule must be received. Specified the User-Defined Original IP field and Type the translated destination IP address that this NAT rule supports.

CONFIGURATION > Network > NAT > Add 

2. IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:

IP protocol = 50 → Used by data path (ESP)
IP protocol = 51 → Used by data path (AH)
UDP Port Number = 500 → Used by IKE (IPSec control path)
UDP Port Number = 4500 → Used by NAT-T (IPsec NAT traversal)
CONFIGURATION > Security Policy > Policy Control 

VERIFICATION:

Test the IPSec VPN Tunnel

1. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection

click Connect on the upper bar. The Status connect icon is lit when the interface is connected. 

2. Verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic.

MONITOR > VPN Monitor > IPSec

3. To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via IPSec devices).

PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33 

PC behind ZyWALL/USG (Branch) > Window 7 > cmd > ping 10.10.10.33 

What Could Go Wrong?

1. If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.

MONITOR > Log

2. If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method, and PFS to establish the IKE SA.

MONITOR > Log

3. Make sure both ZyWALL/USG at the HQ and Branch site security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.

4. Default NAT traversal is enabled on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.

Articles in this section

Was this article helpful?
2 out of 3 found this helpful
Share