Category Archives: Zyxel

VPN Setup with Zyxel USG devices – Zyxel router and client VPN configuration

This is going to be a very bare-bones post. My goal is to get right to the required details without much elaboration.

Please keep in mind that setting up a working VPN configuration is typically a process, and every vendor names and handles things differently. These settings may not be the most secure options for a VPN setup but they will work. Start with a working configuration first ! And then if you wish, alter only one parameter at a time, making sure they match at both ends (Zyxel USG router/firewall and VPN client). Do your research and understand what you are changing and why.

To begin, you will need a working network setup behind a Zyxel USG router/firewall with VPN functionality, and either – for Windows client workstations, the Zyxel VPN client software – or IPSecuritas for Mac OS (note that I won’t cover the config of IPSecuritas specifically here but it should be very easy to translate).
See http://www.lobotomo.com/products/IPSecuritas/
If you do use IPSecuritas please make sure to make a donation to the
developer !

The Zyxel client VPN software can be purchased online from Amazon or  Provantage, http://www.provantage.com/zyxel-zywallvpn~7ZYX903K.htm

One vital thing to keep in mind is that if your IP schema (LAN IP address type and range) at home – or any cafe or office you visit –
matches that of your main office that you want to connect to , the VPN connection will not work.
This is VPN 101 material: Your remote IP address schema must not match that of the network you wish to make a VPN connection to.

Zyxel USG configuration:
Connect to your Zyxel as usual ( https://ip.ofyour.zyxel )
Navigate to:
Configuration, Object, Address

Create an address for your local subnet, name it: LAN1_SUBNET
Address Type: INTERFACE SUBNET
Interface: lan1

Create Address Object
Name: RemoteDynamicClient
Address Type: HOST
IP Address: 0.0.0.0

Now navigate to VPN, IPSec VPN:
VPN Gateway, choose Add
Click “Show Advanced Settings”

Enable (checkbox),
VPN Gateway Name: Dynamic_Tunnel
My Address, Interface: wan1

Peer Gateway Address:
Dynamic Address

Authentication:
Pre-Shared key. You need to make this LONG and complex.
Record it securely.

Phase 1 Settings:
SA Lifetime 86400
Negotiation Mode: Main
Proposal
Encryption: 3DES, Authentication SHA1
Key Group: DH1

Enable (checkbox) Nat Traversal & Dead Peer Detection
Note that Extended Authentication does work but move on to that only after you have the rest working.
Click OK.

Go to the “VPN Connection” tab to the left.
If it isn’t, enable “Use Policy Route to control dynamic IPSec rules”
Click Add.
Click Show Advanced Settings.
Enable (checkbox)
Connection Name: Dynamic
VPN Gateway: Site-to-site with Dynamic Peer
VPN Gateway (select): Dynamic_Tunnel (you just set this up in the steps above)

Policy:
Local Policy: LAN1_SUBNET
*Remote Policy: RemoteDynamicClient

Phase 2 Setting:
SA Lifetime: 86400
Active Protocol: Esp
Encapsulation: Tunnel
Proposal:
Encryption 3DES, Authentication SHA1

Leave the rest untouched.

Firewall
Create new rule at the top
From any to Zywall
Source Any Destination Any
Service L2TP-VPN
Allow
If you want to debug your VPN enable logging, but otherwise there’s no need.

Add rule:
IPSec_VPN to any (Excluding Zywall)
source any, destination any, allow

With a USG 20 (but not a 100),
under Routing
Add Policy Route:
Incoming L2TP_VPN source any Destination Lan1__Subnet
source any, next-hop auto, SNAT outgoing interface

Zyxel VPN Client configuration:
Install the Zyxel VPN client, a reboot will be required.
You might like to customize your taskbar to always show the Zyxel VPN icon.

Right-click where it says “VPN Configuration” on the left and choose Wizard.
Choose “A router or a VPN gateway”
Enter the external static IP of your Zyxel in question, or FQDN if appropriately configured.
Enter the PSK (pre-shared key) you set up previously and safely recorded 🙂
Enter the IP private (internal) address of the remote network. This should match the IP schema for your main office that you are connecting to.
NB: Don’t try to choose a specific IP, just enter 0 for the final octet/number, ie:
192.168.12.0

Click Finish.
Now click on the listed “Gateway” on the left.
In the Authentication tab under IKE, change the settings to match those you set up under “Phase 1” on your Zyxel:
Click Apply at the upper-left.

Now click on “Tunnel” at the left (listed just underneath Gateway).
Under Addresses, correct the Subnet maks for your Remote LAN address setup.
Under ESP, don’t change anything but confirm they match  your Phase 2 settings on your Zyxel – they will by default.
PFS: Change to DH1

Optionally, click on the Advanced tab, and under Alternate servers,
enter the IP address of your (primary) internal DNS Server at the main office you’ll be connectin to via VPN.

Click Apply at the upper-left.

Right-click the Zyxel VPN icon and choose connect.
It works ! Or, it should based on the supplied info.