Zyxel Firewall [VPN] - Configure IPSec Site-To-Site VPN on Zyxel Firewall [Stand-alone mode]

This guide will walk you through setting up a Site-to-Site (S2S) VPN between two firewalls using IKEv2 IPSec. We’ll cover both manual configuration and the use of a built-in wizard, as well as how to configure the VPN to handle multiple subnets within the same tunnel.

In case You are looking for other VPN Scenarios, Tips and Tricks, have a look at the following articles:

General:

Nebula:

An office wants to connect securely to its headquarters through the Internet. Both offices have a USG / ZyWall / ATP / USG FLEX to access the internet. 

Note: Before you start configuring the VPN, make sure that both sites do not have the same subnets. Configuring a VPN between sites with the same subnet on both sides is technically possible, but it is not easy and can lead to complications due to overlapping IP addresses. When both sites have the same subnet, this can lead to routing conflicts because the VPN will not know which side to send traffic to when it sees an IP address that exists in both locations. 

Wizard Method Setup VPN

The most straightforward and convenient method to establish a Site-to-Site connection is by using the built-in wizard. In the first example of this article, we will guide you through the process. Also, if you've had problems while manually configuring a VPN, you can use the wizard to set up the VPN and compare the settings for troubleshooting purposes.

HQ Site Settings (Wizzard)

  • Log in to your HQ Site firewall's Web GUI and go to the Quick Setup Wizard section in the left menu. 
  • Click "VPN Setup"

You can choose between the Express (VPN with default Values) or Advanced (Manual Setting of cryptography etc...). To give you an example of this article, we have chosen the "Advanced" option.

  • We strongly recommend using IKEv2 instead of IKEv1 to improve security, speed connection establishment, stability, support mobility, and increase efficiency in handling network changes.
  • Give an understandable name and choose Site-to-Site VPN. 
  • Click "Next"

Phase 1 Settings

  • On the next, Enter “Secure Gateway” This is the Wan address of your second firewall; in this case, it is the Branch site IP address. (When you start configuring the second firewall, you will need to fill in the WAN IP address of this firewall.  )
  • Set Phase 1 proposals as desired. For security reasons, choose a strong password and proposals with good Encryption/Authentication, such as AES256 for encryption, SHA512 for authentication, and DH14 for a key group.

Phase 2 Settings

  • Ensure the phase 2 settings are the same as the phase 1 settings. (i.e. AES256, SHA512)
  • Local Policy and Remote Policy - Local and Remote Policies define which traffic is encrypted in a site-to-site VPN, ensuring secure, efficient, and correctly routed communication between networks.

    Note: Please check first if the IP address of the remote subnet does not already exist on the local subnet to avoid double IP address configuration. When the remote subnet is similar to one local subnet, you will only be able to reach the local network.
  • Once all the data has been entered correctly, click “Next,” check all the settings again, click "Save" and proceed to configure the second firewall. 

Branch Site Settings (Wizzard)

You need to follow exactly the same procedure for the firewall in the second office. The main difference is only in some settings.

  • Gateway IP must be specified as the WAN IP of the device in the HQ Site
  • Local Policy and Remote Policy will also be different. Example below:
    HQ Site
    Local Policy: 192.168.40.1
    Remote Policy: 192.168.70.1
    Branch Site: 
    Local Policy: 192.168.70.1
    Remote Policy: 192.168.40.1
  • If everything has been configured correctly and there are no problems with the connection, other settings, or construction, a VPN connection will be established automatically immediately after saving the settings. 

Manual Method Setup VPN

VPN Gateway - HQ Site Settings Manual

  • Log in to your HQ Site Firewall Web GUI
Go to Configuration -> VPN -> VPN Ge -> Add
  • Check the Enable checkbox
  • Give a clear name
  • Select IKE Version

We strongly recommend using IKEv2 instead of IKEv1 to improve security, speed connection establishment, stability, support mobility, and increase efficiency in handling network changes.

  • My Address (Interface) - sets your wan IP address. 
  • Peer Gateway Address - This is the WAN address of your second firewall; in this case, it is the Branch site IP address. (When you start configuring the second firewall, you will need to fill in the WAN IP address of this firewall. 
  • Pre-Shared Key - Create a strong password (you will also use this key on the remote device).
  • Phase 1 Settings - Set Phase 1 proposals as desired. For security reasons, choose a strong password and proposals with good Encryption/Authentication, such as AES256 for encryption, SHA512 for authentication, and DH14 for a key group. 

VPN Tunnel - HQ Site Settings Manual

Configuration > VPN > IPSec VPN > VPN Connection > Add

The first thing you need to do is create an Object for “Remote Policy” by clicking “Create New Object” and selecting “IPV4 Address.”

  • Name - enter a clear name
  • Address Type - “SUBNET”
  • Network - the local network address of the remote site
  • Netmask - subnet mask of the remote site
  • Then click “OK

Now, we can continue to fill in the other fields. 

  • Check the Enable checkbox
  • Give a clear name
  • Select Site-To-Site VPN
  • VPN Gateway - Select the VPN Gateway created in the previous step 
  • Local Policy and Remote Policy will be different.
  • Phase 2 Settings - Set Phase 2 proposals as desired. For security reasons, choose a strong password and proposals with good Encryption/Authentication, such as AES256 for encryption, SHA512 for authentication, and DH14 for a key group. 
  • Click "Ok"

Now, we can start configuring the Branch site. To do so, follow the same steps as you did for the HQ site, but with some data changes. 

VPN Gateway - Branch Site Settings Manual

Configuration > VPN > IPSec VPN > VPN Gateway

Repeat the HQ Steps to configure the VPN Gateway

  • When configuring the VPN Gateway on the Firewall in the HQ site, you specified the WAN IP of your Branch site in the "Peer Gateway Address Static Address” field. Now, when configuring the Branch site, you must specify the WAN IP of your HQ site in the "Peer Gateway Address Static Address” field.
  • Pre-Shared Key - must be the same for both sites. 

VPN Tunnel - Branch Site Settings Manual

Configuration > VPN > IPSec VPN > VPN Connection

Repeat the HQ Steps to configure the VPN Tunnel

  • Except for a few differences, when you configured the HQ site, you specified the network at the Branch site in Remote Policy. Now, when you configure the Branch site, you must specify the network from the HQ site in the Remote Policy field.

Tick the "Nailed-Up" option to establish the VPN tunnel and connect automatically.

Test the result

  • Connect the VPN tunnel manually the first time. Afterwards, it should rescan connectivity and reconnect automatically.
  • You can see that the VPN Tunnel is connected when the earth symbol is green

 

Note: Please check your firewall rules to ensure the default IPSec-to-Device and IPSec-to-Any rules exist.
Otherwise, the traffic between the tunnels may get blocked.
Screenshot_2021-05-26_173435.png

Limitation - Use several subnets

On Zyxel firewalls, there is a limitation where you cannot select several subnets in a VPN tunnel. The local policy (subnet) and remote policy (subnet) can only be configured with one subnet each. 

Configure -> VPN -> IPSec VPN -> VPN Connection -> Policy

To go around this issue, you can configure a policy route to route another subnets into the tunnel manually. 

Create this policy route:

Note! It might be needed to route the response packets back through the tunnel on the remote site. 

Troubleshooting

Common Issues and Resolutions:

  • Incorrect Pre-shared Key: Double-check the pre-shared key on both devices.
  • Incorrect Subnet Configuration: Ensure the correct local and remote subnets are configured in the VPN settings.
  • Phase 1 and Phase 2 Settings:

Key Settings that need to be checked to make sure they're the same on both sites

  • Authentication Method: Typically, a pre-shared key is used.
  • Encryption Algorithm: Common options include AES (128/256 bits), 3DES.
  • Hash Algorithm: Typically SHA-256 or SHA-512 or SHA-1.
  • DH Group (Diffie-Hellman Group): Ensures secure key exchange (e.g., Group 2, Group 14).
  • Lifetime: 

For more detailed instructions on troubleshooting, see the link:

Zyxel Firewall [VPN] - Troubleshoot Site-to-Site VPN [Stand-alone mode]
 

 

Articles in this section

Was this article helpful?
10 out of 19 found this helpful
Share