In this guide, we will show you how to set up this specific scenario, using the SecuExtender ZyWall IPSec VPN Client!
Please note: All the following steps are referring only to IKEv1!
1. VPN Gateway (Phase 1):
1. Log in to the unit by entering its IP address and the credentials for an admin account (by default, the username is “admin”, the password is “1234”)
2. Add a new gateway under
Configuration > VPN > IPSec VPN > VPN Gateway
Edit the following settings:
“Show Advanced Settings”, Tick “Enable”, type in the desired name, choose the desired WAN interface as “My Address", tick Dynamic Address for multiple IPs, enter a Pre Shared key.
3. In this tutorial, we leave the Phase 1 settings like proposals by default, but please adjust them to your security preferences. Then change from “Negotiation Mode” to “Main”.
Click “OK” to apply the changes done.
VPN Connection (Phase 2):
1. Navigate to the “VPN Connection” tab and add a new connection
Configuration > VPN > IPSec VPN > VPN Connection
Edit the following settings:
“Show Advanced Settings”, Tick “Enable”, type in the desired name, Set the “Application Scenario” to “Remote Access (Server Role”) and choose the previously created VPN Gateway
2. For the “Local Policy”, choose the subnet on your USG to which the VPN clients are supposed to have access to. Choose your desired Proposals in the “Phase 2 Settings” and click “OK” (remind to secure as much as possible)
2. Configuring the ZyWall IPSec VPN client:
1. You can find the most recent client here
2. Please start the software, define the ports in the “IKE V1 Parameters” (IKE Port = 500, NAT-T-Port=4500)
3. In the “Ikev1Gateway”, type in the IP of the USGs WAN interface your VPN Gateway is listening on and enter the pre-shared key. Make sure that the proposals are matching to the ones you defined in your VPN Gateway on your USG
4. Now configure the VPN Tunnel: Leave the “VPN Client address” as 0.0.0.0 or enter an IP address, which does not match a network on the USG locally, enter the subnet address you have defined as the local policy in your USGs VPN connection and make sure the proposals are matching with the VPN connections proposals
Now you should be able to open the VPN tunnel by right-clicking the VPN tunnel at the left and choose “Open tunnel”. A green desktop notification in the bottom right corner should confirm the successfully established VPN connection.
Keep in mind that your WAN-to-ZyWall firewall rule should allow the services ESP, IKE, and NATT!
To learn more details about the VPN settings and algorithms you can visit:
To learn how to set up an L2TP connection on Windows 10, please visit:
3. Please note:
- Don´t test the VPN connection inside the same subnet as your Local Policy! This will cause routing issues.
- You can export the configuration file of the IPSec Client and provide it to different computers.
- If your VPN tunnel does not build up even though to your knowledge everything has been set up correctly, it might be that your ISP is blocking IKE (Port 500) or NAT-T (Port 4500). Please contact your ISP to clarify this.
- If there is no IPSec related traffic hitting your WAN interface, maybe the ISP is blocking ESP (Protocol 50). Please contact your ISP to clarify this.
Do you want to have a look directly on one of our test devices? Have a look here in our virtual Lab:
For more description please see the video:
+++ You can buy licenses for your Zyxel VPN clients (SSL VPN, IPsec) with immediate delivery by 1-click: Zyxel Webstore +++