ZyXEL Communications ZyWALL 110 Handbook & Instructions page 114

If you see that Phase 1 IKE SA process done but still get below [info]
2
log message, please check ZyWALL/USG Phase 2 Settings. Both
ZyWALL/USG at the HQ and Branch sites must use the same
Protocol, Encapsulation, Encryption, Authentication method and
PFS to establish the IKE SA.
MONITOR > Log
Make sure the both ZyWALL/USG at the HQ and Branch sites
3
security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH
uses IP protocol 51, and ESP uses IP protocol 50.
Default NAT traversal is enable on ZyWALL/USG, please make sure
4
the remote IPSec device must also have NAT traversal enabled.
Make sure the both ZyWALL/USG at the HQ and Branch sites use
5
static IP address because VPN Tunnel Interface does not support
dynamic peer.
Make sure policy routes are configured to control traffic between
6
the subnet of HQ and Branch through VTI.
Make sure that the IP address of VTI at the Branch must be in the
7
same subnet as vti1 on HQ. For example, the IP address and subnet
mask of vti1 on HQ is 10.10.10.10 and 255.255.255.0 respectively. The
IP address of vti1 on the Branch must be in the subnet of
10.10.10.0/24; the IP address and subnet mask of vti2 on HQ is
10.10.11.10 and 255.255.255.0 respectively. The IP address of vti2 on
www.zyxel.com
114/255