This is going to be a very bare-bones post. My goal is to get right to the required details without much elaboration.
Please keep in mind that setting up a working VPN configuration is typically a process, and every vendor names and handles things differently. These settings may not be the most secure options for a VPN setup but they will work. Start with a working configuration first ! And then if you wish, alter only one parameter at a time, making sure they match at both ends (Zyxel USG router/firewall and VPN client). Do your research and understand what you are changing and why.
To begin, you will need a working network setup behind a Zyxel USG router/firewall with VPN functionality, and either – for Windows client workstations, the Zyxel VPN client software – or IPSecuritas for Mac OS (note that I won’t cover the config of IPSecuritas specifically here but it should be very easy to translate).
If you do use IPSecuritas please make sure to make a donation to the
The Zyxel client VPN software can be purchased online from Amazon or Provantage, http://www.provantage.com/zyxel-zywallvpn~7ZYX903K.htm
One vital thing to keep in mind is that if your IP schema (LAN IP address type and range) at home – or any cafe or office you visit –
matches that of your main office that you want to connect to , the VPN connection will not work.
This is VPN 101 material: Your remote IP address schema must not match that of the network you wish to make a VPN connection to.
Zyxel USG configuration:
Connect to your Zyxel as usual ( https://ip.ofyour.zyxel )
Configuration, Object, Address
Create an address for your local subnet, name it: LAN1_SUBNET
Address Type: INTERFACE SUBNET
Create Address Object
Address Type: HOST
IP Address: 0.0.0.0
Now navigate to VPN, IPSec VPN:
VPN Gateway, choose Add
Click “Show Advanced Settings”
VPN Gateway Name: Dynamic_Tunnel
My Address, Interface: wan1
Peer Gateway Address:
Pre-Shared key. You need to make this LONG and complex.
Record it securely.
Phase 1 Settings:
SA Lifetime 86400
Negotiation Mode: Main
Encryption: 3DES, Authentication SHA1
Key Group: DH1
Enable (checkbox) Nat Traversal & Dead Peer Detection
Note that Extended Authentication does work but move on to that only after you have the rest working.
Go to the “VPN Connection” tab to the left.
If it isn’t, enable “Use Policy Route to control dynamic IPSec rules”
Click Show Advanced Settings.
Connection Name: Dynamic
VPN Gateway: Site-to-site with Dynamic Peer
VPN Gateway (select): Dynamic_Tunnel (you just set this up in the steps above)
Local Policy: LAN1_SUBNET
*Remote Policy: RemoteDynamicClient
Phase 2 Setting:
SA Lifetime: 86400
Active Protocol: Esp
Encryption 3DES, Authentication SHA1
Leave the rest untouched.
Create new rule at the top
From any to Zywall
Source Any Destination Any
If you want to debug your VPN enable logging, but otherwise there’s no need.
IPSec_VPN to any (Excluding Zywall)
source any, destination any, allow
With a USG 20 (but not a 100),
Add Policy Route:
Incoming L2TP_VPN source any Destination Lan1__Subnet
source any, next-hop auto, SNAT outgoing interface
Zyxel VPN Client configuration:
Install the Zyxel VPN client, a reboot will be required.
You might like to customize your taskbar to always show the Zyxel VPN icon.
Right-click where it says “VPN Configuration” on the left and choose Wizard.
Choose “A router or a VPN gateway”
Enter the external static IP of your Zyxel in question, or FQDN if appropriately configured.
Enter the PSK (pre-shared key) you set up previously and safely recorded 🙂
Enter the IP private (internal) address of the remote network. This should match the IP schema for your main office that you are connecting to.
NB: Don’t try to choose a specific IP, just enter 0 for the final octet/number, ie:
Now click on the listed “Gateway” on the left.
In the Authentication tab under IKE, change the settings to match those you set up under “Phase 1” on your Zyxel:
Click Apply at the upper-left.
Now click on “Tunnel” at the left (listed just underneath Gateway).
Under Addresses, correct the Subnet maks for your Remote LAN address setup.
Under ESP, don’t change anything but confirm they match your Phase 2 settings on your Zyxel – they will by default.
PFS: Change to DH1
Optionally, click on the Advanced tab, and under Alternate servers,
enter the IP address of your (primary) internal DNS Server at the main office you’ll be connectin to via VPN.
Click Apply at the upper-left.
Right-click the Zyxel VPN icon and choose connect.
It works ! Or, it should based on the supplied info.