Page 1 ZyWALL/USG Series ZyWALL 110 / 310 / 1100 USG20-VPN / USG20W-VPN / USG40 / USG40W / USG60 / USG60W / USG110 / USG210 / USG310 / USG1100 / USG1900 / USG2200-VPN / Security Firewalls Firmware Version 4.25 Edition 2, 4/2017...
Page 2: Table Of Contents
© 2017 ZyXEL Communications Corporation Table of Content How to Configure Site-to-site IPSec VPN with Amazon VPC ....17 Set Up the IPSec VPN Tunnel on the Amazon VPC ......18 Set Up the IPSec VPN Tunnel on the ZyWALL/USG ......22 Test the IPSec VPN Tunnel ...............
Page 3 www.zyxel.com (Branch has a Dynamic IP Address) ............. 77 Test the IPSec VPN Tunnel ............... 81 What Could Go Wrong? ................ 82 How to Configure IPSec Site to Site VPN while one Site is behind a NAT router ......................84 Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) ......................
Page 4 www.zyxel.com Spoke_Branch_A ................... 143 Spoke_Branch_B ..................147 Test the IPSec VPN Tunnel ..............151 What Could Go Wrong? ..............153 How to Configure IPSec VPN with ZyWALL IPSec VPN Client ....156 Set Up the ZyWALL/USG IPSec VPN Tunnel ........157 Set Up the ZyWALL IPSec VPN Client ..........
Page 5 www.zyxel.com (Branch) ....................233 Set up the WAN Trunk (ZyWALL/USG_HQ) ......... 237 Set up the Failover Command Line (ZyWALL/USG HQ) ....238 Test the IPSec VPN Tunnel ..............240 What Could Go Wrong? ..............241 How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a NAT router ....................
Page 6 www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to iOS Mobile Phone ...................... 304 Set Up the L2TP VPN Tunnel on the iOS Mobile Device ....305 Test the L2TP over IPSec VPN Tunnel ..........308 What Could Go Wrong? ..............309 How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android mobile phone....................
Page 7 www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG ........ 355 Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating System ..................... 360 Test the SSL VPN Tunnel ................. 364 What Could Go Wrong? ..............367 How To Configure SSL VPN for Remote Access Mobile Devices ..
Page 8 www.zyxel.com How to block HTTPS websites by Domain Filter without applying SSL Inspection ....................414 Set Up the Content Filter on the ZyWALL/USG ........415 Set Up the Security Policy on the ZyWALL/USG ........ 417 Set Up the System Policy on the ZyWALL/USG ........417 Test the Result ..................
Page 9 www.zyxel.com Set Up the ZyWALL/USG Email Daily Report Setting ......449 Test the Daily Log Report ..............450 What Could Go Wrong? ..............451 How to Setup and Configure Email Logs ..........452 Set Up the ZyWALL/USG Email Logs Setting ........452 Test the Email Log ..................
Page 10 www.zyxel.com Test ......................495 How to Perform and Use the Packet Capture Feature on the ZyWALL/USG ........................496 Set Up the Packet Capture Feature ............ 497 Check the Capture Files ..............499 How to Automatically Reboot the ZyWALL/USG by Schedule ..... 501 Set Up the Shell Script ................
Page 11 www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Executives ..533 Test the Result ..................536 What Could Go Wrong? ..............537 How To Detect and Prevent TCP Port Scanning with ADP ..... 538 Set Up the ADP Profile on the ZyWALL/USG ........539 Test the Result ..................
Page 12 www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System ................. 576 Test the Result ..................581 What Could Go Wrong? ..............582 How To Block the Spotify Music Streaming Service ....... 583 Set Up IDP Profile on the ZyWALL/USG ..........584 Test the Result ..................
Page 13 www.zyxel.com Set Up the Bandwidth Management for BitTorrent on the ZyWALL/USG ................... 614 Set Up the Bandwidth Management Global Setting on the ZyWALL/USG ................... 616 Test the Result ..................616 What Could Go Wrong? ..............617 How to Configure a Trunk for WAN Load Balancing with a Static or Dynamic IP Address .................
Page 14 www.zyxel.com Upload the Configuration Files from the ZyWALL/USG ....639 What Could Go Wrong? ..............640 How to Manage ZyWALL/USG Firmware ..........641 Download the Current Firmware Version from ZyXEL.com ..... 642 Upload the Firmware on the ZyWALL/USG ........643 What Could Go Wrong? ..............
Page 15 www.zyxel.com Set Up the Security Policy on the ZyWALL/USG ........ 675 Test the Result ..................676 What Could Go Wrong? ..............677 How to Set Up a WiFi Network with ZyXEL APs ........678 Set Up the AP Management on the ZyWALL/USG ......679 Test the Result ..................
Page 16 www.zyxel.com How to Set Up an IPv6 6to4 Tunnel ............716 Set Up the LAN IPv6 Interface on the ZyWALL/USG ......717 Set Up the 6to4 Tunnel on the ZyWALL/USG ........718 Test the Result ..................719 What Could Go Wrong? ..............720 How to Set Up an IPv6-in-IPv4 Tunnel .............
Page 17: How To Configure Site-To-Site Ipsec Vpn With Amazon Vpc
www.zyxel.com How to Configure Site-to-site IPSec VPN with Amazon VPC This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and an Amazon VPC platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 18: Set Up The Ipsec Vpn Tunnel On The Amazon Vpc
www.zyxel.com Set Up the IPSec VPN Tunnel on the Amazon VPC Sign into the Amazon AWS Management Console. Go to Networking > VPC. Amazon AWS Management Console > Networking > VPC In the upper left-hand of the screen, click Start VPC Wizard. Amazon VPC Management Console >...
Page 19 www.zyxel.com Select a VPC Configuration > VPC with a Private Subnet Only and Hardware VPN Access VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and Private subnet. Click Next. VPC with a Private Subnet Only and Hardware VPN 19/749...
Page 20 www.zyxel.com Configure your VPN, add your ZyWALL/USG public IP address into Customer Gateway IP. Name your Customer Gateway name and VPN Connection name. Click Create VPC at the bottom of the blade. Configure your VPN In the VPC Dashboard, go to VPN Connections. Select Download Configuration from the upper bar.
Page 21 www.zyxel.com VPC Dashboard > VPN Connections Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s setting. Configuration txt. File 21/749...
Page 22: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the Amazon VPC. Click Next. Quick Setup >...
Page 23 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP address (in the example, 52.39.135.203); select My Address to be the interface connected to the Internet. Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time which Amazon VPC supports.
Page 24 www.zyxel.com Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Amazon VPC. Click OK. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 2 Setting) This screen provides a read-only summary of the VPN tunnel.
Page 25 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
Page 26: Test The Ipsec Vpn Tunnel
www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Page 27: What Could Go Wrong
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. MONITOR > VPN Monitor > IPSec To test whether or not a tunnel is working, ping from a Local LAN to AWS VPC private Subnet for verification.
Page 28 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2 setup list. MONITOR >...
Page 29: How To Configure Site-To-Site Ipsec Vpn With Microsoft (Ms) Azure
www.zyxel.com How to Configure Site-to-site IPSec VPN with Microsoft (MS) Azure This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a Microsoft (MS) Azure platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 30: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the MS Azure. Click Next.
Page 31 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the peer MS Azure’s Gateway IP address (in the example, 13.75.42.148);...
Page 32 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1 Setting) Note: For more information about the IPsec Parameters supported in MS Azure, see the Microsoft Azure Documentation About VPN devices for Site-to-Site VPN Gateway connections.
Page 33 www.zyxel.com Continue to Phase 2 Settings to select the Encapsulation, Encryption, Authentication, and SA Life Time settings which MS Azure supports. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the MS Azure.
Page 34 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 35 www.zyxel.com 35/749...
Page 36: Set Up The Ipsec Vpn Tunnel On The Ms Azure
www.zyxel.com Set Up the IPSec VPN Tunnel on the MS Azure Sign into the Windows Azure Management Portal. In the upper left-hand corner of the screen, click +New > Networking > Virtual Network. Azure portal > New > Networking > Virtual Network Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create.
Page 37 www.zyxel.com On the Create virtual network page, enter the NAME for the VPN network. For example, VPN_Vnet_to_USG. Add your Address Space, Subnet name and a single Subnet address range. Click Resource group and either select an existing resource group, or create a new one by typing a name for your new resource group.
Page 38 www.zyxel.com New > Networking > Virtual Network > Create virtual network In the portal, navigate to the virtual network to which you just created. On the blade for your virtual network, click the Settings icon at the top of the blade to expand the Setting blade to Subnets >...
Page 39 www.zyxel.com 39/749...
Page 40 www.zyxel.com In the portal, go to New, then Networking. Select Virtual network gateway from the list. On the Create virtual network gateway blade Name field, name your gateway. Next, choose the Virtual network that you want to deploy this gateway to. Click the arrow (>) to open the Choose public IP address blade.
Page 41 www.zyxel.com In the Azure Portal, navigate to New > Networking > Local network gateway. The local network gateway refers to your ZyWALL/USG public IP and local subnet settings. On the Create local network gateway blade, specify a Name for your ZyWALL/USG gateway object.
Page 42 www.zyxel.com Specify public IP address of your ZyWALL/USG. It cannot be behind NAT and has to be reachable by Azure. Address space refers to the address ranges on your ZyWALL/USG local network. For Resource Group, select the resource group that you created before.
Page 43 www.zyxel.com New > Networking > Local network gateway Locate your virtual network gateway (VPN_Connection_to_USG in this example) and click Settings > Connection > Add connection, Name your connection. For Connection type, select Site-to-site (IPSec). For Virtual network gateway, the value is fixed because you are connecting from this gateway (VPN_GW_to_USG in this example).
Page 44 www.zyxel.com For Local network gateway, select the local network gateway that you want to use (VPN_Connection_to_USG in this example). For Shared Key (PSK), the value here must match the value that you are using for your ZyWALL/USG device. For Resource Group, select the resource group that you created before.
Page 45: Test The Ipsec Vpn Tunnel
www.zyxel.com When the connection is complete, you'll see it appear in the Connections blade for your Gateway. VPN_Connection_to_USG > Settings > Connections Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar.
Page 46 www.zyxel.com MONITOR > VPN Monitor > IPSec Go to Azure_Vnet_USG > Settings to check the tunnel DATA IN and DATA OUT. VPN > VPN Settings > Currently Active VPN Tunnels To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other.
Page 47: What Could Go Wrong
www.zyxel.com PC behind MS Azure> Window 7 > cmd > ping 192.77.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the MS Azure IKE Phase 1 setup list.
Page 48 www.zyxel.com MONITOR > Log If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the MS Azure IKE Phase 2 setup list. MONITOR >...
Page 49 www.zyxel.com 49/749...
Page 50: How To Configure Gre Over Ipsec Vpn Tunnel
www.zyxel.com How to Configure GRE over IPSec VPN Tunnel This example shows how to use the VPN Setup Wizard to create a GRE over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site. When the GRE over IPSec VPN tunnel is configured, each site can be accessed securely.
Page 51: Set Up The Zywall/Usg Gre Over Ipsec Vpn Tunnel Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 52 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 111.250.184.80).
Page 53 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 54 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 55: Set Up The Zywall/Usg Gre Over Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com CONFIGURATION > Network > Interface > Tunnel > Add Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 56 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 57 www.zyxel.com Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ). Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel.
Page 58 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 59 www.zyxel.com The GRE tunnel runs between the IPsec public interface on the Branch unit and the HQ unit. Go to CONFIGURATION > Network > Interface > Tunnel > Add. Enter the Interface Name (The format is tunnelx, where x is 0 - 3.). Enter the IP Address and Subnet Mask for this interface.
Page 60: Test The Gre Over Ipsec Vpn Tunnel
www.zyxel.com Test the GRE over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 61 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2 setup list. MONITOR >...
Page 62: How To Configure Site-To-Site Ipsec Vpn Where The Peer Has A Static Ip Address
www.zyxel.com How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP Address This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer has a Static IP Address. The example instructs how to configure the VPN tunnel between each site.
Page 63 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 64 www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZyWALL/USG.
Page 65 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 66: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 67 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 68 www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
Page 69 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 70: Test The Ipsec Vpn Tunnel
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
Page 71: What Could Go Wrong
www.zyxel.com PC at HQ Office > Window 7 > cmd > ping 192.168.10.33 PC at Branch Office > Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 72 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
Page 73: How To Configure Site-To-Site Ipsec Vpn Where The Peer Has A Dynamic Ip Address
www.zyxel.com How to Configure Site-to-site IPSec VPN Where the Peer has a Dynamic IP Address This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer has a Dynamic IP Address. The example instructs how to configure the VPN tunnel between each site.
Page 74 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 75 www.zyxel.com Type a secure Pre-Shared Key (8-32 characters). Then, set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG. Quick Setup >...
Page 76 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
Page 77: (Branch Has A Dynamic Ip Address)
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch has a Dynamic IP Address) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings to create a Site-to-site VPN Rule Name.
Page 78 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 79 www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the ZyWALL/USG local IP address that can use the VPN tunnel and set Remote Policy to the peer ZyWALL/USG local IP address that can use the VPN tunnel.
Page 80 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 81: Test The Ipsec Vpn Tunnel
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Test the IPSec VPN Tunnel The Site-to-site VPN with Dynamic Peer can only initiate the VPN tunnel from the peer has a dynamic IP Address. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar.
Page 82: What Could Go Wrong
www.zyxel.com PC at HQ Office > Window 7 > cmd > ping 192.168.10.33 PC at Branch Office > Window 7 > cmd > ping 192.168.1.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 83 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
Page 84: How To Configure Ipsec Site To Site Vpn While One Site Is Behind A Nat Router
www.zyxel.com How to Configure IPSec Site to Site VPN while one Site is behind a NAT router This example shows how to use the VPN Setup Wizard to create a IPSec Site to Site VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while one Site is behind a NAT router.
Page 85 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 86 www.zyxel.com Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.30.40). Then, type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
Page 87 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Page 88: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 89 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup >...
Page 90 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 91: Set Up The Nat Router (Using Zywall Usg Device In This Example)
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 92 www.zyxel.com the User-Defined Original IP field and Type the translated destination IP address that this NAT rule supports. CONFIGURATION > Network > NAT > Add Go to CONFIGURATION > Security Policy > Policy Control. IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: IP protocol = 50 →...
Page 93: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 94: What Could Go Wrong
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33 PC behind ZyWALL/USG (Branch) >...
Page 95 www.zyxel.com MONITOR > Log If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
Page 96: How To Configure Hub-And-Spoke Ipsec Vpn
www.zyxel.com How to Configure Hub-and-Spoke IPSec VPN This is an example of a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub and spoke VPNs to Branches A and B. When the VPN tunnel is configured, traffic passes between branches via the hub (HQ). Traffic can also pass between spoke-and-spoke through the hub.
Page 97: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg By Using Vpn Concentrator Hub_Hq-To-Branch_A
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG by Using VPN Concentrator Hub_HQ-to-Branch_A In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 98 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) 98/749...
Page 99 www.zyxel.com Then, configure the Secure Gateway IP as the Branch A’s Gateway IP address (in the example, 172.16.20.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Branch A’s Pre-Shared Key. Set Local Policy to be the IP address range of the network connected to the Hub_HQ and Remote Policy to be the IP address range of the network connected to the Branch A.
Page 100 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 101: Hub_Hq-To-Branch_B
www.zyxel.com Hub_HQ-to-Branch_B In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method.
Page 102 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Branch B’s Gateway IP address (in the example, 172.16.30.1).
Page 103 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) 103/749...
Page 104: Hub_Hq Concentrator
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 105 www.zyxel.com 105/749...
Page 106: Spoke_Branch_A
www.zyxel.com Spoke_Branch_A In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method.
Page 107 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1).
Page 108 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) 108/749...
Page 109 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 110 www.zyxel.com 110/749...
Page 111: Spoke_Branch_B
www.zyxel.com Spoke_Branch_B In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG. Click Next. Quick Setup > VPN Setup Wizard > Welcome Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method.
Page 112 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1).
Page 113 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Summary) 113/749...
Page 114 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 115: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel 115/749...
Page 116 www.zyxel.com Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
Page 117 www.zyxel.com Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_B Spoke_Branch_A > MONITOR > VPN Monitor > IPSec 117/749...
Page 118: What Could Go Wrong
www.zyxel.com Spoke_Branch_B > MONITOR > VPN Monitor > IPSec What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE 118/749...
Page 119: Set Up The Ipsec Vpn Tunnel Of Zywall/Usg Without Using Vpn Concentrator Hub_Hq-To-Branch_A
www.zyxel.com If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG and SonicWALL Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. Make sure the all ZyWALL/USG units’...
Page 120 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 120/749...
Page 121 www.zyxel.com Click Create new Object on the upper bar to add the address range of the local network behind Hub_HQ to Branch_B and an address of local network behind Branch A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be HQ-to-Branch_A and Remote Policy to Branch_A which are newly created.
Page 122: Hub_Hq-To-Branch_B
www.zyxel.com Hub_HQ-to-Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Branch B’s Gateway IP address (in the example, 172.16.30.1).
Page 123 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 123/749...
Page 124 www.zyxel.com Click Create new Object on the upper bar to add the address range of the local network behind Hub_HQ to Branch_A and an address of local network behind Branch B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be HQ-to-Branch_B and Remote Policy to Branch_B which are newly created.
Page 125: Spoke_Branch_A
www.zyxel.com Spoke_Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
Page 126 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 126/749...
Page 127 www.zyxel.com Click Create new Object on the upper bar to add the address of the local network behind Branch A and the address range of the local network behind Hub_HQ to Branch_B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Branch_A and Remote Policy to HQ-to-Branch_B which are newly created.
Page 128: Spoke_Branch_B
www.zyxel.com Spoke_Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Secure Gateway IP as the Hub_HQ’s Gateway IP address (in the example, 172.16.10.1). Type a secure Pre-Shared Key (8-32 characters) which must match your Hub_HQ’s Pre-Shared Key and click OK.
Page 129 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 129/749...
Page 130 www.zyxel.com Click Create new Object on the upper bar to add the address of local network behind Branch B and address range of local network behind Hub_HQ to Branch_A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Branch_B and Remote Policy to HQ-to-Branch_A which are newly created.
Page 131: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
Page 132 www.zyxel.com Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_B Spoke_Branch_A > MONITOR > VPN Monitor > IPSec 132/749...
Page 133: What Could Go Wrong
www.zyxel.com Spoke_Branch_B > MONITOR > VPN Monitor > IPSec What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, 133/749...
Page 134 www.zyxel.com Encryption, Authentication method, DH key group and ID Type to establish the IKE If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG and SonicWALL Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
Page 135: How To Use Dual-Wan To Perform Fail-Over On Vpn Using The Vpn Concentrator
www.zyxel.com How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator This is an example of using Dual-WAN to perform fail-over on a hub-and-spoke VPN with the HQ ZyWALL/USG as the hub and spoke VPNs to Branches A and B. When the VPN tunnel is configured, traffic passes between branches via the hub (HQ).
Page 136: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg Hub_Hq-To-Branch_A
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG Hub_HQ-to-Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Branch A’s wan1 IP address (in the example, 172.16.20.1) and Secondary Gateway IP as the Branch A’s wan2 IP address (in the example, 172.100.120.1).
Page 137 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 137/749...
Page 138 www.zyxel.com Click Create new Object to add the address of local network behind Hub_HQ and an address of local network behind Branch A. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Hub_HQ and Remote Policy to Branch_A which are newly created.
Page 139: Hub_Hq-To-Branch_B
www.zyxel.com Hub_HQ-to-Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Branch B’s wan1 IP address (in the example, 172.16.30.1) and Secondary Gateway IP as the Branch B’s wan2 IP address (in the example, 172.100.130.1).
Page 140 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to enable VPN Connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 140/749...
Page 141 www.zyxel.com Click Create new Object to add an address of local network behind Hub_HQ and an address of local network behind Branch B. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Hub_HQ and Remote Policy to Branch_B which are newly created.
Page 142: Hub_Hq Concentrator
www.zyxel.com Hub_HQ Concentrator In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > Concentrator, add a VPN Concentrator rule. Select VPN tunnels to the same member group and click Save. 142/749...
Page 143: Spoke_Branch_A
www.zyxel.com Spoke_Branch_A Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1).
Page 144 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 144/749...
Page 145 www.zyxel.com Click Create new Object to add the address of local network behind Branch A and an address of local network behind Hub_HQ CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Spoke_Branch_A_LOCAL and Remote Policy to Hub_HQ which are newly created.
Page 146 www.zyxel.com Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_A to Spoke_Branch_B. Click Create new Object and set the address to be the local network behind the Spoke_Branch_B. Select Source Address to be the local network behind the Spoke_Branch_A.
Page 147: Spoke_Branch_B
www.zyxel.com Spoke_Branch_B Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, select Enable. Type the VPN Gateway Name used to identify this VPN gateway. Then, configure the Primary Gateway IP as the Hub_HQ’s wan1 IP address (in the example, 172.16.10.1) and Secondary Gateway IP as the Hub_HQ’s wan2 IP address (in the example, 172.100.110.1).
Page 148 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection and select Enable. Type the Connection Name used to identify this VPN connection. Select scenario as Site-to-site and VPN Gateway which is configured in Step 1. CONFIGURATION > VPN > IPSec VPN > VPN Connection > General Settings and VPN Gateway 148/749...
Page 149 www.zyxel.com Click Create new Object to add the address of local network behind Branch B and an address of local network behind Hub_HQ. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Create new Object Set Local Policy to be Spoke_Branch_B_LOCAL and Remote Policy to Hub_HQ which are newly created.
Page 150 www.zyxel.com Go to Network > Routing > Policy Route to add a Policy Route to allow traffic from Spoke_Branch_B to Spoke_Branch_A. Click Create new Object and set the address to be the local network behind the Spoke_Branch_A. Select Source Address to be the local network behind the Spoke_Branch_B.
Page 151: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Hub_HQ > CONFIGURATION > VPN > IPSec VPN > VPN Connection Spoke_Branch_A >...
Page 152 www.zyxel.com Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_A Hub_HQ > MONITOR > VPN Monitor > IPSec > Hub_HQ-to-Branch_B Spoke_Branch_A > MONITOR > VPN Monitor > IPSec 152/749...
Page 153: What Could Go Wrong
www.zyxel.com Spoke_Branch_B > MONITOR > VPN Monitor > IPSec What Could Go Wrong? If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE 153/749...
Page 154 www.zyxel.com If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
Page 155 www.zyxel.com 155/749...
Page 156: How To Configure Ipsec Vpn With Zywall Ipsec Vpn Client
www.zyxel.com How to Configure IPSec VPN with ZyWALL IPSec VPN Client This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and a ZyWALL IPSec VPN Client. The example instructs how to configure the VPN tunnel between each site.
Page 157: Set Up The Zywall/Usg Ipsec Vpn Tunnel
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that can be used with the ZyWALL IPSec VPN Client. Click Next. Quick Setup >...
Page 158 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-1 Type a secure Pre-Shared Key (8-32 characters).
Page 159 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings-3 Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 160 www.zyxel.com Go to CONFIGURATION > Object > User/Group > Add A User and create a user account for the ZyWALL IPSec VPN Client user. CONFIGURATION > Object > User/Group > Add A User Go to CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning. In the General Settings section, select the Enable Configuration Provisioning.
Page 161: Set Up The Zywall Ipsec Vpn Client
www.zyxel.com Set Up the ZyWALL IPSec VPN Client Download ZyWALL IPSec VPN Client software from ZyXEL Download Library: http://www.zyxel.com/support/download_landing.shtml 161/749...
Page 162 www.zyxel.com Open ZyWALL IPSec VPN Client, select CONFIGURATION > Get from Server. CONFIGURATION > Get from Server Enter the WAN IP address or URL for the ZyWALL/USG in the Gateway Address. If you changed the default HTTPS Port on the ZyWALL/USG, and then enter the new one here.
Page 163 www.zyxel.com CONFIGURATION > Get from Server > Step 2: Processing 163/749...
Page 164 www.zyxel.com Then, you will see the Configuration successful page, click OK to exit the wizard. CONFIGURATION > Get from Server > Configuration successful Go to VPN Configuration > IKEv1, right click the WIZ_VPN_PROVISIONING and select Open tunnel. You will see the Tunnel opened on the bottom right of the screen.
Page 165: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and Inbound(Bytes)/Outbound(Bytes) Traffic.
Page 166: What Can Go Wrong
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC with ZyWALL IPSec VPN Client installed > Window 7 > cmd > ping 192.168.1.33 PC behind ZyWALL/USG >...
Page 167 www.zyxel.com and ZyWALL IPSec VPN Client use the same Pre-Shared Key to establish the IKE SA. MONITOR > Log If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. ZyWALL/USG and ZyWALL IPSec VPN Client must use the same Encryption, Authentication method, DH key group and ID Type/Content to establish the IKE SA.
Page 168 www.zyxel.com Make sure the service HTTPS Port on IPSec VPN Client application is available. Make sure the To-ZyWALL security policies allow IPSec VPN traffic to the ZyWALL/USG. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
Page 169: How To Configure Site-To-Site Ipsec Vpn With Fortigate
www.zyxel.com How to Configure Site-to-site IPSec VPN with FortiGate This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a FortiGate router. The example instructs how to configure the VPN tunnel between each site. The example instructs how to configure the VPN tunnel between each site.
Page 170 www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type 170/749...
Page 171 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the FortiGate’s WAN IP address (in the example, 172.100.30.40).
Page 172 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 173: Set Up The Ipsec Vpn Tunnel On The Fortigate
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 174 www.zyxel.com Type the Name used to identify this VPN connection, configure Remote Gateway IP as the peer ZyWALL/USG’s WAN IP address. Select the Interface which is connected to the Internet. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) > Network 174/749...
Page 175 www.zyxel.com Go to Authentication section, enter Pre-shared Key and choose negotiation Mode the same as the peer ZyWALL/USG’s. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) > Authentication Configure Phase 1 Proposal and Diffie-Hellman Group as the peer ZyWALL/USG Advanced Settings’...
Page 176 www.zyxel.com Go to Phase 2 Selectors > Advanced and configure Phase 2 Proposal as the peer ZyWALL/USG Advanced Settings’ Phase 2 Settings > Proposal. Set Local Address to be the IP address range of the network connected to the FortiGate and Remote Address to be the IP address range of the network connected to the ZyWALL/USG.
Page 177 www.zyxel.com This screen provides a summary of the VPN tunnel. Click OK to exit the configuration page. VPN > IPsec > Wizard > Custom VPN Tunnel (No Template) 177/749...
Page 178: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 179: What Could Go Wrong
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.2.33 PC behind FortiGate>...
Page 180 www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG and FortiGate Phase 2 Settings. Both ZyWALL/USG and FortiGate must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR >...
Page 181: How To Configure Site-To-Site Ipsec Vpn With Watchguard
www.zyxel.com How to Configure Site-to-site IPSec VPN with WatchGuard This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a WatchGuard router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 182: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the WatchGuard. Click Next. Quick Setup >...
Page 183 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the WatchGuard’s WAN IP address (in the example, 172.100.30.63).
Page 184 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 185: Set Up The Ipsec Vpn Tunnel On The Watchguard
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, click Show Advanced Settings. Configure Authentication > Local ID Type as IPv4 and set the Content as your ZyWALL/USG’s WAN IP Address (in the example, 172.101.30.73). Then, configure Authentication > Remote ID Type as IPv4 and set the Content as your WatchGuard’s External IP Address (in the example, 172.100.30.63).
Page 186 www.zyxel.com In the WatchGuard VPN > Branch Office VPN > Gateway > General Settings create a Site-to-site VPN Gateway Name and set a secure Pre-Shared Key. VPN > Branch Office VPN > Gateway > General Settings > Credential Method To add a Gateway Endpoint, click Add. VPN >...
Page 187 www.zyxel.com The new Gateway Endpoint dialog box appears. Configure your Local Gateway identity as WatchGuard’s External IP Address (in the example, 172.100.30.63) and Remote Gateway identity as your ZyWALL/USG’s WAN IP Address (in the example, 172.101.30.73). Click OK. VPN > Branch Office VPN > Gateway > General Settings > Gateway Endpoints 187/749...
Page 188 www.zyxel.com Then, go to VPN > Branch Office VPN > Gateway > Phase 1 Settings to select negotiation Mode the same as your ZyWALL/USG’s Phase 1 Settings. Make sure you enable both NAT Traversa and Dead Peer Detection options if both options are enabled in the ZyWALL/USG.
Page 189 www.zyxel.com Then, go to VPN > Branch Office VPN > Tunnel to add a Tunnel Route Settings. In the Local IP section, set the Network IP to be the IP address range of the network connected to the WatchGuard. In the Remote IP section, set the Network IP to be the IP address range of the network connected to the ZyWALL/USG.
Page 190 www.zyxel.com 190/749...
Page 191 www.zyxel.com Go to VPN > Branch Office VPN > Tunnel > Phase 2 Settings to create a Tunnel Name. Then, select the Gateway. Make sure you enable Perfect Forward Secrecy and select Diffie-Hellman Group 2. Then, scroll down Phase 2 Proposals and add the encryption types to match your ZyWALL/USG’s VPN Connection >...
Page 192: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 193 www.zyxel.com Go to WatchGuard System Status > VPN Statistics > Branch Office VPN and check the tunnel Status is up and Bytes In (Incoming Data) and Bytes Out (Outgoing Data). System Status > VPN Statistics > Branch Office To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other.
Page 194: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and WatchGuard must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE MONITOR >...
Page 195 www.zyxel.com Make sure the both ZyWALL/USG and WatchGuard security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Page 196: How To Configure Site-To-Site Ipsec Vpn With Cisco
www.zyxel.com How to Configure Site-to-site IPSec VPN with Cisco This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a Cisco router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 197: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the Cisco. Click Next.
Page 198 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the Cisco’s Gateway IP address (in the example, 172.100.30.80);...
Page 199 www.zyxel.com Continue to Phase 2 Settings to select the desired Encapsulation, Encryption, Authentication, and Perfect Forward Secrecy (PFS) settings. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Cisco.
Page 200 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) 200/749...
Page 201 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 202 www.zyxel.com 202/749...
Page 203: Set Up The Ipsec Vpn Tunnel On The Cisco
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let ZyWALL/USG does not require to check the identity content of the remote IPSec router. CONFIGURATION >...
Page 204 www.zyxel.com Go to VPN > Site-to-site > IKE Policies, click Add to create a new IKE Policy Name. Then, select Encryption, Hash, Pre-shared Key and D-H Group to match your ZyWALL/USG’s VPN Gateway > Phase 1 Settings. Set Lifetime to 24 hours and click OK then click Save to exit the IKE Policies page.
Page 205 www.zyxel.com Go to VPN > Site-to-site > Transform Sets, click Add to create a new Transform Set name. Then, select Integrity and Encryption to match your ZyWALL/USG’s VPN Connection > Phase 2 Settings. Click OK and click Save to exit the Transform Sets page.
Page 206 www.zyxel.com address range of the network connected to the ZyWALL/USG (Address Object created in Step 1) VPN > Site-to-site > IPsec Policies > Basic Settings Then, go to Advanced Settings enable PFS and DPD if you enable both options in the ZyWALL/USG.
Page 207 www.zyxel.com 207/749...
Page 208: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 209 www.zyxel.com To test whether a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.75.33 PC behind Cisco>...
Page 210: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and Cisco must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE MONITOR >...
Page 211 www.zyxel.com 211/749...
Page 212: How To Configure Site-To-Site Ipsec Vpn With A Sonicwall Router
www.zyxel.com How to Configure Site-to-site IPSec VPN with a SonicWALL router This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZYWALL/USG and a SonicWALL router. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
Page 213: Set Up The Ipsec Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the SonicWALL. Click Next. Quick Setup >...
Page 214 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the SonicWALL’s Gateway IP address (in the example, 172.100.20.23);...
Page 215 www.zyxel.com Continue to Phase 2 Settings to select the desired Encapsulation, Encryption, Authentication, and SA Life Time settings. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the SonicWALL.
Page 216 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) 216/749...
Page 217 www.zyxel.com Note: The Phase 1 and Phase 2 settings established here must match the Phase 1 and Phase 2 settings configured later in the SonicWALL. 217/749...
Page 218 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Quick Setup >...
Page 219 www.zyxel.com Go to VPN Gateway > Show Advanced Settings > Authentication to configure your Local ID Type and Peer ID Type to match your SonicWALL’s VPN > Settings > VPN Policies > General > IKE Authentication > Local IKE ID and Peer IKE ID. VPN Gateway >...
Page 220: Set Up The Ipsec Vpn Tunnel On The Sonicwall
www.zyxel.com Set Up the IPSec VPN Tunnel on the SonicWALL In the SonicWALL VPN > Settings > VPN Policies, click Add to create a new VPN policy. Select Policy Type to be the Site to Site, select Authentication Method to be the IKE using Preshared Secret.
Page 221 www.zyxel.com In the SonicWALL VPN > Settings > VPN Policies > Network, choose Local Network to be the IP address range of the network connected to the SonicWALL (found under SonicWALL > Network > Interfaces > LAN). Go to Remote Network and create a new address IP address range of the network connected to the ZyWALL/USG.
Page 222 www.zyxel.com In the SonicWALL VPN > Settings > VPN Policies > Proposals > IKE (Phase 1) Proposal and set Exchange, DH Group, Encryption and Authentication to match your ZyWALL/USG’s VPN Gateway > Show Advanced Settings > Phase 1 Settings. Go to IKE (Phase 2) Proposal and set the Protocol, Encryption and Authentication to match your ZyWALL/USG’s VPN Connection >...
Page 223 www.zyxel.com Select Enable VPN and click Refresh Active. VPN > Settings > VPN Global Settings 223/749...
Page 224: Test The Ipsec Vpn Tunnel
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 225 www.zyxel.com To test whether a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC behind ZyWALL/USG > Window 7 > cmd > ping 192.168.168.33 PC behind SonicWALL>...
Page 226: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG and SonicWALL must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE MONITOR >...
Page 227 www.zyxel.com MONITOR > Log Make sure the both ZyWALL/USG and SonicWALL security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Page 228 www.zyxel.com 228/749...
Page 229: How To Configure Ipsec Vpn Failover
www.zyxel.com How to Configure IPSec VPN Failover This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with failover. The example instructs how to configure the VPN tunnel between each site if one site has multi-WAN. When the multi-WAN VPN failover is configured, IPSec VPN tunnels automatically fail over to a backup WAN interface if the primary WAN interface becomes unavailable.
Page 230: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 231 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZyWALL/USG.
Page 232 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Page 233: (Branch)
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 234 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68).
Page 235 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG.
Page 236 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 237: Set Up The Wan Trunk (Zywall/Usg_Hq)
www.zyxel.com Configuration > VPN > IPSec VPN > VPN Gateway > Gateway Settings Set up the WAN Trunk (ZyWALL/USG_HQ) Go to CONFIGURATION > Interface > Trunk > User Configuration > Add. Select wan1 and wan2 into the trunk Member and set wan2 Mode to be Passive. CONFIGURATION >...
Page 238: Set Up The Failover Command Line (Zywall/Usg Hq)
www.zyxel.com Go to CONFIGURATION > Interface > Trunk > Configuration. Select Disconnect Connection before Falling Back. In the Default WAN Trunk, select User Configured Trunk to be the customized WAN trunk added in the previous step (Multi_WAN_Failover in this example). CONFIGURATION >...
Page 239 www.zyxel.com CONFIGURATION > Security Policy > Policy Control > Add corresponding If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > SSH to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program. Then, check the Service Control Action should be Accept.
Page 240: Test The Ipsec Vpn Tunnel
www.zyxel.com Enter the command line in terminal mode (Using Tera Term in this example). Tera Term command Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION >...
Page 241: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA. MONITOR >...
Page 242 www.zyxel.com the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA. MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Page 243: How To Configure L2Tp Over Ipsec Vpn While The Zywall/Usg Is Behind A Nat Router
www.zyxel.com How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a NAT router This example shows how to use the VPN Setup Wizard to create a L2TP over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while the ZyWALL/USG is behind a NAT router.
Page 244: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg_Hq
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices. Click Next. Quick Setup >...
Page 245 www.zyxel.com Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) 15 This screen provides a read-only summary of the VPN tunnel.
Page 246 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 247 www.zyxel.com Go to CONFIGURATION > VPN Connection > Policy > Local Policy, select it be to the NAT router’s WAN IP address (in the example, 172.100.20.30). CONFIGURATION > VPN Connection > Policy > Local Policy Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters).
Page 248: Set Up The Nat Router (Using Zywall Usg Device In This Example)
www.zyxel.com Set Up the NAT Router (Using ZyWALL USG device in this example) Go to CONFIGURATION > Network > NAT > Add. Select the Incoming Interface on which packets for the NAT rule must be received. Specified the User-Defined Original IP field and Type the translated destination IP address that this NAT rule supports.
Page 249 www.zyxel.com CONFIGURATION > Network > NAT > Add Go to CONFIGURATION > Object > Address > Add, create an address object as the ZyWALL/USU_HQ’s WAN IP address (in the example, 192.168.1.33). CONFIGURATION > Object > Address Go to CONFIGURATION > Object > Service > Service Group, create a service group for the following UDP ports: UDP Port Number = 1701 →...
Page 250 www.zyxel.com Go to CONFIGURATION > Security Policy > Policy Control, add corresponding rule to allow L2TP services. CONFIGURATION > Security Policy > Policy Control 250/749...
Page 251: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Test the L2TP over IPSec VPN Tunnel Use a smartphone or a PC to establish a L2TP VPN connection to the ZyWALL/USG. Configure the NAT's public IP address as the L2TP server address on the client. In this example using iOS device to test the result: To configure L2TP VPN in an iOS 8.4 device, go to Menu >...
Page 252 www.zyxel.com Set Secret to the Pre-Shared Key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (xyz12345 in this example). After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session. 252/749...
Page 253 www.zyxel.com Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session.
Page 254: What Could Go Wrong
www.zyxel.com Menu > Settings > VPN > ZyXEL_L2TP What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. 254/749...
Page 255 www.zyxel.com If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. iOS Mobile users must use the same Secret as configured in ZyWALL/USG to establish the IKE SA. If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings.
Page 256: How To Configure L2Tp Vpn With Android 5.0 Mobile Devices
www.zyxel.com How to Configure L2TP VPN with Android 5.0 Mobile Devices This example shows how to use the VPN Setup Wizard to create a L2TP VPN between a ZyWALL/USG and an Android 5.0 Mobile Device. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet.
Page 257: Set Up The L2Tp Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices.
Page 258 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next. Quick Setup >...
Page 259 www.zyxel.com Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 260 www.zyxel.com CONFIGURATION > VPN > L2TP VPN > Create new Object > User If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
Page 261: Set Up The L2Tp Vpn Tunnel On The Android Device
www.zyxel.com CONFIGURATION > Network > Routing > Policy Route Set Up the L2TP VPN Tunnel on the Android Device To configure L2TP VPN on an Android device, go to Menu > Settings > Wireless & Networks > VPN settings > Add VPN > Add L2TP/IPSec PSK VPN and configure as follows.
Page 262 www.zyxel.com Set VPN server to the ZyWALL/USG’s WAN IP address. Set IPSec pre-shared key to the pre-shared key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (zyx12345 in this example). 262/749...
Page 263 www.zyxel.com Leave Enable L2TP secret disabled as default and turn on DNS search domains if you need to use the internal DNS servers once your connection is made, enter the DNS server address here. Click Save. Click the VPN rule ZyXEL_L2TP to begin the VPN connection. 263/749...
Page 264 www.zyxel.com When dialing the L2TP VPN, the user will have to enter Username/Password. They are the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users/zyx168 in this example). 264/749...
Page 265: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 266 www.zyxel.com Go to Android mobile device Menu > Settings > Wireless & Networks > VPN and verify the connection status. Menu > Settings > Wireless & Networks > VPN 266/749...
Page 267: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Android Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 268 www.zyxel.com Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Verify that the Zone is set correctly in the Zone object. This should be set to IPSec_VPN Zone so that security policies are applied properly.
Page 269: How To Configure L2Tp Vpn With Ios 8.4 Mobile Devices
www.zyxel.com How to Configure L2TP VPN with iOS 8.4 Mobile Devices This example shows how to use the VPN Setup Wizard to create a L2TP VPN between a ZyWALL/USG and an iOS 8.4 Mobile Device. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet.
Page 270 www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the remote users IP addresses range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 271 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN >...
Page 272 www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). CONFIGURATION > VPN > L2TP VPN > Create new Object > User 272/749...
Page 273 www.zyxel.com If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection. Set the Source Address to be the L2TP address pool.
Page 274 www.zyxel.com CONFIGURATION > Network > Routing > Policy Route 274/749...
Page 275: Set Up The L2Tp Vpn Tunnel On The Ios Device
www.zyxel.com Set Up the L2TP VPN Tunnel on the iOS Device To configure L2TP VPN in an iOS 8.4 device, go to Menu > Settings > VPN > Add VPN Configuration and configure as follows. Description is for you to identify the VPN configuration. Set Server to the ZyWALL/USG’s WAN IP address (172.124.163.150 in this example).
Page 276: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.
Page 277 www.zyxel.com Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users 277/749...
Page 278 www.zyxel.com Go to iOS mobile device Menu > Settings > VPN > ZyXEL_L2TP and verify the Assigned IP Address and Connect Time. Menu > Settings > VPN > ZyXEL_L2TP 278/749...
Page 279: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 280 www.zyxel.com Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Verify that the Zone is set correctly in the Zone object. This should be set to IPSec_VPN Zone so that security policies are applied properly.
Page 281: How To Import Zywall/Usg Certificate For L2Tp Over Ipsec In Windows 10
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in Windows 10 This is an example of using the L2TP VPN and VPN client software included in Windows 10 operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from a Windows 10 computer.
Page 282 www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 283 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) 283/749...
Page 284 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 285 www.zyxel.com CONFIGURATION > VPN > L2TP VPN > Create new Object > User If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.
Page 286: 10 Operating System
www.zyxel.com CONFIGURATION > Network > Routing > Policy Route Export a Certificate from ZyWALL/USG and Import it to Windows 10 Operating System Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION >...
Page 287 www.zyxel.com Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key Save default certificate as *.p12 file to Windows 10 computer. default.p12 In Windows 10 Operating System, go to Start Menu > Search Box. Type mmc and press Enter.
Page 288 www.zyxel.com In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select Certificates click Add. Then, click Finished. Press OK to close the Snap-ins window. Available snap-ins > Certificates > Add 288/749...
Page 289 www.zyxel.com In the mmc console window, go to Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next. 289/749...
Page 290 www.zyxel.com Click Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. Type zyx123 in the Password field and click Next. 290/749...
Page 291 www.zyxel.com Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 292: Set Up The L2Tp Vpn Tunnel On The Windows 10
www.zyxel.com Set Up the L2TP VPN Tunnel on the Windows 10 To configure L2TP VPN in Windows 10 operating system, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in).
Page 293 www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 293/749...
Page 294 www.zyxel.com 294/749...
Page 295 www.zyxel.com Network & Internet Settings window, click Connect. Go to 295/749...
Page 296: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 297 www.zyxel.com Go to Window 10 operating system Start > Settings > Network & Internet > VPN and show Connected status. Menu > Settings > VPN > ZyXEL_L2TP 297/749...
Page 298: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 299 www.zyxel.com Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly.
Page 300: How To Import Zywall/Usg Certificate For L2Tp Over Ipsec In Ios Mobile Phone
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile phone This is an example of using the L2TP VPN and VPN client software included in Android mobile phone operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an iOS mobile phone.
Page 301 www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 302 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen.
Page 303 www.zyxel.com Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Android mobile phone. CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN > Authentication > Certificate Go to CONFIGURATION >...
Page 304: Export A Certificate From Zywall/Usg And Import It To Ios Mobile Phone
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to iOS Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) CONFIGURATION >...
Page 305: Set Up The L2Tp Vpn Tunnel On The Ios Mobile Device
www.zyxel.com default.p12 Set Up the L2TP VPN Tunnel on the iOS Mobile Device To configure L2TP VPN in iOS operating system, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in).
Page 306 www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 306/749...
Page 307 www.zyxel.com Go to Network & Internet Settings window, click Connect. 307/749...
Page 308: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Test the L2TP over IPSec VPN Tunnel 1. Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection 2.
Page 309: What Could Go Wrong
www.zyxel.com 3. Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users 4. Go to iOS operating system Start > Settings > Network & Internet > VPN and show Connected status.
Page 310 www.zyxel.com 2. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. iOS users must use the same Pre-Shared Key as configured in ZyWALL/USG to establish the IKE SA. 3. If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings.
Page 311: How To Import Zywall/Usg Certificate For L2Tp Over Ipsec In Android Mobile Phone
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android mobile phone This is an example of using the L2TP VPN and VPN client software included in Android mobile phone operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an Android mobile phone.
Page 312 www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet.
Page 313 www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen.
Page 314 www.zyxel.com Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Android mobile phone. CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN > Authentication > Certificate Go to CONFIGURATION >...
Page 315 www.zyxel.com 315/749...
Page 316: Export A Certificate From Zywall/Usg And Import It To Android Mobile Phone
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to Android Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) CONFIGURATION >...
Page 317: Set Up The L2Tp Vpn Tunnel On The Android Mobile Device
www.zyxel.com Set Up the L2TP VPN Tunnel on the Android Mobile Device To configure L2TP VPN in Android, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in). Configure Connection name for you to identify the VPN configuration.
Page 318 www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 318/749...
Page 319 www.zyxel.com 319/749...
Page 320: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Go to Network & Internet Settings window, click Connect. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION >...
Page 321 www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR >...
Page 322: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Android users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 323 www.zyxel.com If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel. Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
Page 324: How To Configure The L2Tp Vpn With Apple Mac Os X 10.11 Operating System
www.zyxel.com How to Configure the L2TP VPN with Apple MAC OS X 10.11 Operating System This is an example of using the L2TP VPN and VPN client software included in Apple MAC OS X 10.11 El Capitan operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an Apple computer.
Page 325 www.zyxel.com Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters). Quick Setup > VPN Setup Wizard > Welcome > VPN Settings 325/749...
Page 326 www.zyxel.com Configure the L2TP users’ IP address range from 192.168.30.10 to 192.168.30.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN. Click OK. Quick Setup > VPN Setup Wizard > Welcome > VPN Settings Continue to the next page to review your Summary and click Save. Quick Setup >...
Page 327 www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). CONFIGURATION > VPN > L2TP VPN > Create new Object > User 327/749...
Page 328 www.zyxel.com If some of the traffic from the L2TP clients needs to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection. Set the Source Address to be the L2TP address pool.
Page 329 www.zyxel.com CONFIGURATION > Network > Routing > Policy Route 329/749...
Page 330: Operating System
www.zyxel.com Set Up the L2TP VPN Tunnel on the Apple MAC OS X 10.11 El Capitan Operating System To configure L2TP VPN in OS X 10.11 operation system, go to System Preferences… > Network, click the "+" button at the bottom left of the connections to add a new connection and configure as follows.
Page 331 www.zyxel.com In the User Authentication section, enter Password which should be the same as Allowed User created in ZyWALL/USG (zyx123 in this example). In the Machine Authentication section, enter Shared Secret to be the pre-shared key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (zyx12345 in this example).
Page 332: Test The L2Tp Over Ipsec Vpn Tunnel
www.zyxel.com Go back to Configuration and click Connect. Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 333 www.zyxel.com MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users Go to MAC OS X System Preferences… > Network and show Connected status, Connect Time and assigned IP Address.
Page 334: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Apple MAC OS X El Capitan operating system users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN.
Page 335 www.zyxel.com If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. ZyWALL/USG unit must set correct Local Policy to establish the IKE SA. Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.
Page 336: How To Configure If I Want User Can Only See Ssl Vpn Login Button In Web Portal Login Page
www.zyxel.com How to configure if I want user can only see SSL VPN Login button in web portal login page This example shows how to strict portal access for SSL VPN clients. The example instructs how to allow end users to only see the SSL VPN Login button in the web portal login screen and the administrator can only manage the device from LAN.
Page 337: Set Up The Dns Service
www.zyxel.com Set Up the DNS Service In this scenario, you need to have a DNS host to fulfill the requirement. In this example, go to https://www.noip.com/ to register an account and create a DNS host. The following mapping IP address is the public IP of the ZyWALL/USG's WAN IP address.
Page 338: Set Up The Zywall/Usg System Setting
www.zyxel.com CONFIGURATION > Security Policy > Policy Control Set Up the ZyWALL/USG System Setting Go to CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1. Set the address access action as Deny for ALL address in WAN. CONFIGURATION >...
Page 339: Test The Ssl Vpn
www.zyxel.com Test the SSL VPN Type in the URL (https://sslvpnzyxeltest.ddns.net) and you will only see the SSL VPN Login button in the web portal screen. Type in the URL (https://sslvpnzyxeltest.ddns.net) 339/749...
Page 340 www.zyxel.com Login to the device via the WAN interface with the administrator's user name and password. The screen will show Login denied. Login to the device via the WAN interface Login to the device via the LAN interface with the administrator's user name and password.
Page 341 www.zyxel.com Login to the device via the LAN interface 341/749...
Page 342 www.zyxel.com Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface. MONITOR > 342/749...
Page 343: How To Deploy Ssl Vpn With Windows 10 Operating System
www.zyxel.com How to Deploy SSL VPN with Windows 10 Operating System This is an example of using the ZyWALL/USG SSL VPN client software in Windows 10 operating systems for secure connections to the network behind the ZyWALL/USG. When the VPN tunnel is configured, users can securely access the network from a Windows 10 computer.
Page 344: Set Up The Ssl Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > VPN > SSL VPN > Access Privilege to add an Access Policy. Configure a Name for you to identify the SSL VPN configuration. CONFIGURATION >...
Page 345 www.zyxel.com Go to Create new Object > Application to add servers that you will allow SSL_VPN_1_Users to access, click OK. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application 345/749...
Page 346 www.zyxel.com Go to Create new Object > Address to add IP address pool for SSL_VPN_1_Users. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Address 346/749...
Page 347 www.zyxel.com Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Appellation Objects. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > User/Group &...
Page 348: Set Up The Ssl Vpn Tunnel On The Windows 10 Operating System
www.zyxel.com Set Up the SSL VPN Tunnel on the Windows 10 Operating System Type the ZyWALL/USG’s WAN IP into the browser, then the login screen appears. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 349 www.zyxel.com The Welcome dialog box appears. Click OK to start ZyWALL SecuExtender installation. Click Continue if you see Security Warning. Click Run. 349/749...
Page 350 www.zyxel.com The ZyWALL SecuExtender Setup Wizard dialog box appears. Click Next and Install to complete the installation. Then, click Yes to restart your system with the configuration changes or No if you plan to manually restart later. 350/749...
Page 351 www.zyxel.com After restart your system. Type ZyWALL/USG’s WAN IP into the browser, to display the login screen. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example). Click SSL VPN. Click Allow if you see Internet Explorer Security warning.
Page 352: Test The Ssl Vpn Tunnel
www.zyxel.com Test the SSL VPN Tunnel Go to ZyWALL/USG MONITOR > VPN Monitor > SSL and verify the tunnel Login Address, Connected Time and the Inbound(Bytes)/Outbound(Bytes) traffic. MONITOR > VPN Monitor > SSL > SSL_VPN_1_Users Go to Windows 10 ZyWALL SecuExtender Status, you can check Connection Status, Connect Time, Transmitted and Received traffic.
Page 353: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 354: How To Deploy Ssl Vpn With Apple Mac Os X 10.10 Operating System
www.zyxel.com How to Deploy SSL VPN with Apple Mac OS X 10.10 Operating System This is an example of using the ZyWALL/USG SSL VPN client software in Apple MAC OS X 10.10 Yosemite operating systems for secure connections to the network behind the ZyWALL/USG.
Page 355: Set Up The Ssl Vpn Tunnel On The Zywall/Usg
www.zyxel.com Set Up the SSL VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > VPN > SSL VPN > Access Privilege to add an Access Policy. Configure a Name for you to identify the SSL VPN configuration. CONFIGURATION >...
Page 356 www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > User Go to Create new Object > Application to add servers you allow SSL_VPN_1_Users to access, click OK. 356/749...
Page 357 www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application Go to Create new Object > Address to add the IP address pool for SSL_VPN_1_Users. 357/749...
Page 358 www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Address Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Appellation Objects.
Page 359 www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > User/Group & SSL Application Scroll down to Network Extension (Optional) to select Enable Network Extension to allow SSL VPN users to access the resources behind the ZyWALL/USG local network. Select network(s) name in the Selectable Address Objects list and click the right arrow button to add to the Selected Address Objects list.
Page 360: Set Up The Ssl Vpn Tunnel On The Apple Mac Os X 10.10 Operating System
www.zyxel.com Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating System Download SSL VPN Client software: ZyWALL SecuExtender for MAC from the ZyXEL Global Website and double-click on the downloaded file to install it. 360/749...
Page 361 www.zyxel.com Go to ZyWALL SecuExtender > Preferences, click the "+" button at the bottom left to add a new SSL VPN connection. 361/749...
Page 362 www.zyxel.com Configure the Connection Name for you to identify the SSL VPN configuration. Then, set the Remote Server Address to be the WAN IP of ZyWALL/USG (172.16.1.33 in this example). Click Save. 362/749...
Page 363 www.zyxel.com Here are two methods to initiate SSL VPN connections: From ZyWALL SecuExtender From a Web Browser From ZyWALL SecuExtender Go to ZyWALL SecuExtender > Connect > SSL_VPN, to display the username and password dialog box. Set Username and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 364: Test The Ssl Vpn Tunnel
www.zyxel.com Test the SSL VPN Tunnel Go to ZyWALL/USG MONITOR > VPN Monitor > SSL and verify the tunnel Login Address, Connected Time and the Inbound(Bytes)/Outbound(Bytes) traffic. MONITOR > VPN Monitor > SSL > SSL_VPN_1_Users Go to ZyWALL SecuExtender > Details and check Traffic Graph, Network Traffic Statics and Log Details.
Page 365 www.zyxel.com ZyWALL SecuExtender > Details > Traffic Graph ZyWALL SecuExtender > Details > Network Traffic Statics 365/749...
Page 366 www.zyxel.com ZyWALL SecuExtender > Details > Log Details 366/749...
Page 367: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. MAC OS X 10.10 Yosemite users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 368 www.zyxel.com If you uploaded a logo to show in the SSL VPN user screens but it does not display properly, check that the logo graphic is in GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed. The ZyWALL/USG automatically resizes a graphic of a different resolution to 103 x 29 pixels.
Page 369: How To Configure Ssl Vpn For Remote Access Mobile Devices
www.zyxel.com How To Configure SSL VPN for Remote Access Mobile Devices This is an example of using the ZyWALL/USG SSL VPN for remote access mobile devices to securely connect to the File Sharing Server behind the ZyWALL/USG. ZyWALL/USG SSL VPN for Secure External Access to Network Resources Note: All network IP addresses and subnet masks are used as examples in this article.
Page 370 www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > VPN > SSL VPN > Access Privilege to add an Access Policy. Configure a Name for you to identify the SSL VPN configuration. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Configuration Go to Create new Object >...
Page 371 www.zyxel.com Go to Create new Object > Application to add servers that you will allow SSL_VPN_1_Users to access. Click OK. CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > Create new Object > Application Then, move the just created address object to Selected User/Group Objects. Similarly, in SSL Application List (Optional) move the servers you want available to SSL users to Selected Application Objects.
Page 372: Test The Ssl Vpn Tunnel
www.zyxel.com CONFIGURATION > VPN > SSL VPN > Access Privilege > Access Policy > User/Group & SSL Application Test the SSL VPN Tunnel Type the ZyWALL/USG’s WAN IP into the browser, then the login screen appears. Enter User Name and Password to be the same as your ZyWALL/USG SSL VPN Selected User/Group name and password (SSL_VPN_1_Users/zyx168 in this example).
Page 373 www.zyxel.com The File Sharing server appears. Click the File Sharing folder you want to access, enter User Name/ Password of your File Sharing server and click Login. 373/749...
Page 374 www.zyxel.com Now you can securely access the files. 374/749...
Page 375: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [notice] or [alert] log message such as below, please check ZyWALL/USG SSL Selected User/Group Objects settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the SSL VPN tunnel.
Page 376: How To Configure An Ssl Vpn Tunnel (With Secuextender Version 4.0.0.1) On The Windows 10 Operating System
www.zyxel.com How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1) on the Windows 10 Operating System Set up the SSL VPN Tunnel with Windows 10 Please download SecuExtender version 4.0.0.1 from the download library of ZyXEL’s official website. Before you start installing the SecuExtender, it is required to install the “Visual C++ 2015 Redistributable”...
Page 377 www.zyxel.com 377/749...
Page 378 www.zyxel.com 378/749...
Page 379 www.zyxel.com Double-click the shortcut icon on your desktop. It is the same as the SSL VPN standalone software on MAC OS X. Enter the server’s IP or domain name, user name, 379/749...
Page 380: What Can Go Wrong
www.zyxel.com and password to connect to the server. The example below shows that the client IP is 7.7.7.1 and you can also check the traffic statistic in the Status screen. You can verify the connection status from the computer’s taskbar icon. When connected, the icon is blue.
Page 381 www.zyxel.com If you have uploaded a logo to show on the SSL VPN user screens but it does not display properly, check if the logo graphic is in GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed. The ZyWALL/USG automatically resizes a graphic of a different resolution to 103 x 29 pixels.
Page 382: How To Redirect Multiple Lan Interface Traffic To The Vpn Tunnel
www.zyxel.com How to redirect multiple LAN interface traffic to the VPN tunnel This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
Page 383: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 384 www.zyxel.com Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZyWALL/USG.
Page 385 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Page 386: Set Up The Zywall/Usg Ipsec Vpn Tunnel Of Corporate Network (Branch)
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 387 www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68).
Page 388 www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
Page 389: Set Up The Policy Route (Zywall/Usg_Hq)
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set up the Policy Route (ZyWALL/USG_HQ) Go to ZyWALL/USG_HQ CONFIGURATION > Network > Routing > Add. Set Source Address to be the subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel.
Page 390: Set Up The Policy Route (Zywall/Usg_Branch)
www.zyxel.com CONFIGURATION > Network > Routing > Add Set up the Policy Route (ZyWALL/USG_Branch) Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add, create Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. CONFIGURATION >...
Page 391: Test The Ipsec Vpn Tunnel
www.zyxel.com Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add. Set Source Address to be the local subnet (192.168.10.0/24 in this example). Set Destination Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. CONFIGURATION >...
Page 392 www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). PC at HQ Office > Window 7 > cmd > ping 192.168.10.33 PC at Branch Office >...
Page 393: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 394 www.zyxel.com Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Page 395: How To Create Vti And Configure Vpn Failover With Vti
www.zyxel.com How to Create VTI and Configure VPN Failover with VTI This example illustrates how to create a VTI object and configure a policy route with the VTI. Furthermore, it applies the VTI to the WAN trunk to achieve VPN load balancing.
Page 396: Set Up The Zywall/Usg Vti Of Corporate Network (Hq)
www.zyxel.com Set Up the ZyWALL/USG VTI of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add to create the VPN gateway HQ1 with wan1. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add In the same screen, create the VPN gateway HQ2 with wan2.
Page 397 www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway HQ1. Select VPN Tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add In the same screen, create a VPN tunnel for the VPN gateway HQ2.
Page 398 www.zyxel.com Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel HQ1. Enable the connectivity check. Enter the IP address of vti1, which is configured on USG2. CONFIGURATION > Network > Interface > VTI > Add CONFIGURATION >...
Page 399 www.zyxel.com CONFIGURATION > Network > Interface > VTI > Add CONFIGURATION > Network > Interface > VTI > vti2 > Connectivity Check Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION >...
Page 400 www.zyxel.com Source Address: LAN1_SUBNET (192.168.1.0/24) Destination Address: BO_subnet (192.168.11.0/24) Next-Hop: HQ_vti_trunk SNAT: none CONFIGURATION > Network > Routing > Policy Route > Add Connect the VPN tunnels when the VTIs are ready. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to connect the VPN tunnels. CONFIGURATION >...
Page 401: Set Up The Zywall/Usg Vti Of Corporate Network (Branch)
www.zyxel.com 10 Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established. CONFIGURATION > Network > Interface > VTI Set Up the ZyWALL/USG VTI of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >...
Page 402 www.zyxel.com In the same screen, create the VPN gateway BO2 with wan2. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway BO1. Select VPN Tunnel Interface as the application scenario.
Page 403 www.zyxel.com In the same screen, create a VPN tunnel for the VPN gateway BO2. Select VPN tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel BO1.
Page 404 www.zyxel.com CONFIGURATION > Network > Interface > VTI > vti1 > Connectivity Check In the same screen, create a VTI for the VPN tunnel BO2. Be aware that the IP address of this VTI must be in the same subnet as vti2 on USG1. In this example, the IP address and subnet mask of vti2 on USG1 is 10.10.11.10 and 255.255.255.0 respectively.
Page 405 www.zyxel.com CONFIGURATION > Network > Interface > VTI > vti1 > Connectivity Check Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION >...
Page 406 www.zyxel.com Go to CONFIGURATION > Network > Routing > Policy Route > Add to configure a policy route. Source Address: LAN1_SUBNET (192.168.11.0/24) Destination Address: HQ_subnet (192.168.1.0/24) Next-Hop: BO_vti_trunk SNAT: none CONFIGURATION > Network > Routing > Policy Route > Add Connect the VPN tunnels when the VTIs are ready.
Page 407: Test The Ipsec Vpn Tunnel
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Connection > Connect 10 Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established. CONFIGURATION >...
Page 408 www.zyxel.com To test whether or not VPN failover is working, unplug wan1 of USG1. Then ping from a PC in LAN1 of USG1 to a PC in LAN1 of USG2 and vice versa. Check the VPN status of the USG1 in the MONITOR > VPN Monitor > IPSec screen. PC of USG1 (192.168.1.34) >...
Page 409: What Can Go Wrong
www.zyxel.com What Can Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 410 www.zyxel.com MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
Page 411: How To Configure The Usg When Using A Cloud Based Sip System
www.zyxel.com How to configure the USG when using a Cloud Based SIP system This example shows how to configure USG when there is a Cloud Based SIP system. The IP phones are more and more popular nowadays. USG supports the scenario as IP phones located in LAN and connect to internet to register the SIP server.
Page 412: Set Up The Sip Alg
www.zyxel.com Set Up the SIP ALG Go to CONFIGURATION > Network > ALG, and check “Enable SIP ALG”. Also, check the “Enable SIP Transformations” if the SIP content which is needed to be transform. Then click “Apply”. CONFIGURATION > Network > ALG Direct-media and Direct-signalling are activated after ZLD 4.25.
Page 413: Test Result
www.zyxel.com Router(config)# no alg sip direct-signalling Router(config)# no alg sip direct-media Test result Connect SIP phone to the USG, and check the register status. Register successfully. Check the SIP register status on PBX. What could go wrong? SIP phone does not support transform itself, but the “SIP Transformations” does not be checked.
Page 414: How To Block Https Websites By Domain Filter Without Applying Ssl Inspection
www.zyxel.com How to block HTTPS websites by Domain Filter without applying SSL Inspection The Content Filter with HTTPs Domain Filter allows you to block HTTPs websites by category service without SSL-Inspection. The filtering feature is based on more than 50 Managed Categories built in ZyWALL/USG such as pornography, gambling, hacking, etc.
Page 415: Set Up The Content Filter On The Zywall/Usg
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG Go to CONFIGURATION > UTM Profile> Content Filter > Profile > General Settings. Select Enable HTTPS Domain Filter for HTTPS traffic. Go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter Profile >...
Page 416 www.zyxel.com Scroll down to the Managed Categories section, select categories in this section to control access to specific types of Internet content. You must have the Content Filtering license to filter these categories. 416/749...
Page 417: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Social_Net_Block in this example). Set Up the System Policy on the ZyWALL/USG Go to CONFIGURATION >...
Page 418: Test The Result
www.zyxel.com Test the Result Type http://www.facebook.com/ or https://www.facebook.com/ into the browser, the error message occurs. 418/749...
Page 419 www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. HTTP traffic log matches (Content Filter) and HTTPS traffic log matches (HTTPS Domain Filter) in message field. Monitor > Log 419/749...
Page 420: How To Configure Content Filter 2.0 With Geo Ip Blocking
www.zyxel.com How to Configure Content Filter 2.0 with Geo IP Blocking The Content Filter 2.0 - Geo IP blocking offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy.
Page 421: Set Up The Address Objet With Geo Ip On The Zywall/Usg
www.zyxel.com Set Up the Address Objet with Geo IP on the ZyWALL/USG Go to CONFIGURATION > Object > Address/Geo IP > Address > Add Address Rule. Go to CONFIGURATION > Object > Address/Geo IP > Address, you can see the customized GEOGRAPHY address.
Page 422: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set Geo IP traffic from WAN to LAN allow source from local country (geo_allow_policy in this example). Go to CONFIGURATION >...
Page 423: Test The Result
www.zyxel.com Test the Result Type http://csosuppport.ddns.net/ into the browser, and the http can be reached. Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. 423/749...
Page 424: What Could Go Wrong
www.zyxel.com What Could Go Wrong? 1. The Security Policy configured wrong. The traffic cannot access the LAN server. 2. The Content-Filter service ix expired. Since Geo-IP server is bind with Content-Filter license, there must be available date for Content-Filter service. 424/749...
Page 425: How To Configure Content Filter 2.0 With Https Domain Filter
www.zyxel.com How to Configure Content Filter 2.0 with HTTPs Domain Filter Application Scenario The Content Filter with HTTPs Domain Filter allows you to block HTTPs websites by category service without SSL-Inspection. The filtering feature is based on 64 categories built in ZyWALL/USG such as pornography, gambling, hacking, etc. When user makes HTTPS request, the information contains a Server Name Indication (SNI) extension fields in server FQDN.
Page 426 www.zyxel.com Go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter Profile > Test Web Site Category. Type URL to test the category and click Test Against Content Filter Category Server. You will see the category recorded in the external content filter server’s database for both HTTP and HTTPS Domain you specified.
Page 427: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Scroll down to the Managed Categories section, select categories in this section to control access to specific types of Internet content. You must have the Content Filtering license to filter these categories. Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION >...
Page 428: Set Up The System Policy On The Zywall/Usg
www.zyxel.com Set Up the System Policy on the ZyWALL/USG Go to CONFIGURATION > System > WWW > Show Advanced Settings > Other, click Enable Content Filter HTTPS Domain Filter Block/Warn Page. 428/749...
Page 429: Test The Result
www.zyxel.com Test the Result Type http://www.facebook.com/ or https://www.facebook.com/ into the browser, the error message occurs. 429/749...
Page 430: What Could Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. HTTP traffic log matches (Content Filter) and HTTPS traffic log matches (HTTPS Domain Filter) in message field. Monitor > Log What Could Wrong? “Enable HTTPS Domain Filter for HTTPS traffic”...
Page 431: How To Block The Client Accessing To Certain Country Using Geo Ip And Content Filter
www.zyxel.com How to block the client accessing to certain country using Geo IP and Content Filter The Content Filter with Geo IP offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy. When user makes HTTP or HTTPS request, ZyWALL/USG query IP address from MaxMind database, then take action when it matches the block country in Content Filter profile.
Page 432: Check Geo Ip License Status On The Zywall/Usg
www.zyxel.com Check Geo IP License Status on the ZyWALL/USG Go to CONFIGURATION > Licensing > Registration > Service, the Geo IP Service should be Licensed to configure this feature. Set Up the Address Objet with Geo IP on the ZyWALL/USG Go to CONFIGURATION >...
Page 433: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Group Rule, add all customized GEOGRAPHY address into the same Member object. Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set deny Geo IP traffic from LAN to WAN (geo_block_policy in this example).
Page 434: Test The Result
www.zyxel.com Test the Result Type http://www.pku.edu.cn/ https://www.rwth-aachen.de/ into the browser, sites can’t be reached. 434/749...
Page 435 www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. 435/749...
Page 436 www.zyxel.com 436/749...
Page 437: How To Set Up Link Aggregation Group (Lag)
www.zyxel.com How to set up Link Aggregation Group (LAG) A Link Aggregation Group (LAG) allows you to combine a number of physical ports together to create a single high bandwidth data path. It helps to implement the traffic to perform load balancing or failover features, depending on the situation of the actual case.
Page 438 www.zyxel.com On the USG, go to Configuration > Network > Interface > LAG. Choose the proper interface type and zone depending on the case. Also, select the slave ports that will be added in the LAG interface. The interface format will be lagx (x = 0~3). Link Monitoring: You can choose link up/down detection (specify the MII link monitoring frequency or ARP interval time).
Page 439 www.zyxel.com Updelay is the time to wait to enable the slave port after the device detects the link recovery. Downdelay is the time to wait to disable the slave port after the device detects the link failure. The taget IP can be the Layer 3 device or the host IP, can be reachable by the USG. 802.3ad (LACP) Mode: (Both devices need to be configured.
Page 440 www.zyxel.com Xmit Hash Policy: Xmit Hash policy: Select layer2 or layer2+3. Select layer 2 if the LAG interface is connect to a layer 2 subnet. Select layer 2+3 if the LAG interface is connect to a network with a router or a L3 switch.
Page 441: Set Up The Active-Backup Mode
www.zyxel.com LACP rate: The interval can be fast (every second) or slow (every 30 seconds). Balance-alb Mode: (Does not require configuration on the switch and one or multiple switches can be used.) Set up the active-backup mode. The VLAN interface is cross-connected to different switches and the link statuses on both switches are active.
Page 442 www.zyxel.com The VLAN interface is cross-connected to different switches (fault tolerance). Only one link connection is up and the other is down. In this case, you will need to use the active-backup mode. You can find the LAG interface in the VLAN interface. 442/749...
Page 443: Test The Result
www.zyxel.com Test the Result After the deployment you can see the interface status through Monitor>interface Status Below we are using 802.3ad LAG interface with Vlan66 for the example, unplug one of the network cable during the ping, the connection should still alive after one ping lost. What can go wrong 1.
Page 444: How To Restrict Web Portal Access From The Internet
www.zyxel.com How to Restrict Web Portal access from the Internet This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
Page 445: Set Up The Zywall/Usg System Setting
www.zyxel.com Set Up the ZyWALL/USG System Setting Go to CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1. Set the address access action as Deny for ALL address in WAN. CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1 445/749...
Page 446: Test The Web Access
www.zyxel.com Test the Web Access Login to the device via the WAN interface with the administrator's user name and password. The screen will show Login denied. Login to the device via the WAN interface Login to the device via the LAN interface with the administrator's user name and password.
Page 447 www.zyxel.com Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface. MONITOR > Log 447/749...
Page 448: How To Setup And Configure Daily Report
www.zyxel.com How to Setup and Configure Daily Report This example shows how to set up the data collection and view various statistics about traffic passing through your ZyWALL/USG. When the Daily Report is configured, you will receive statistics report every day. ZyWALL/USG Setup and Configure Daily Report Note: All network IP addresses and subnet masks are used as examples in this article.
Page 449: Set Up The Zywall/Usg Email Daily Report Setting
www.zyxel.com Set Up the ZyWALL/USG Email Daily Report Setting Go to CONFIGURATION > Log & Report > Email Daily Report > General Settings. Select Enable Email Daily Report to send reports by e-mail every day. CONFIGURATION > Log & Report > Email Daily Report > General Settings Type the SMTP server name or IP address.
Page 450: Test The Daily Log Report
www.zyxel.com Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period. CONFIGURATION > Log & Report > Email Daily Report > Report Items Test the Daily Log Report Click Send Report Now to have the ZyWALL/USG send the daily e-mail report immediately.
Page 451: What Could Go Wrong
www.zyxel.com ZyXEL Daily Report Mail What Could Go Wrong? Make sure your Email settings are all correct. CONFIGURATION > Log & Report > Email Daily Report > Email Settings Make sure your ZyWALL to WAN security policy allow. 451/749...
Page 452: How To Setup And Configure Email Logs
www.zyxel.com How to Setup and Configure Email Logs This example shows how to set up the e-mail profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to e-mail, and where and how often to e-mail them. When the Email Logs is configured, you will receive logs email report base on customized schedule.
Page 453 www.zyxel.com type the e-mail address from which the outgoing e-mail is delivered. In Mail To, type the e-mail address to which the outgoing e-mail is delivered. 2. Day for Sending Log is available if the log is e-mailed weekly. Select the day of the week the log is e-mailed.
Page 454: Test The Email Log
www.zyxel.com Test the Email Log You will receive a log mail depends on the time you set in the E-mail Server. ZyXEL Log Mail 454/749...
Page 455: What Could Go Wrong
www.zyxel.com What Could Go Wrong? Make sure your Email settings are all correct. CONFIGURATION > Log & Report > Email Daily Report > Email Settings Make sure your ZyWALL to WAN security policy allow. 455/749...
Page 456: How To Setup And Send Logs To A Syslog Server
www.zyxel.com How to Setup and send logs to a Syslog Server This example shows how to set up the syslog server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to syslog server. When the syslog server is configured, you will receive the real time system logs.
Page 457 www.zyxel.com Go to Dashboard > Add Systems. Dashboard > Add Systems Select Not shown here? and My syslog daemon only sends to port 514. Dashboard > Add Systems > I’m using Select My syslogd only uses the default port, set ZyWALL/USG public IP address (111.250.188.9 in this example) and name the log system.
Page 458 www.zyxel.com Write down the Papertrail-provided domain name (logs.papertrialpp.com in this example). Dashboard > Add Systems > > I’m using > Choose your situation > System Created 458/749...
Page 459: Set Up The Zywall/Usg Remote Server Setting
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting 1. Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be CEF/Syslog. Type the Server Address to be the Papertrail-provided domain name (logs.papertrialpp.com in this example). 2.
Page 460: Test The Remote Server
www.zyxel.com Test the Remote Server You will receive a log mail depends on the time you set in the E-mail Server. ZyXEL Log Mail 460/749...
Page 461: What Could Go Wrong
www.zyxel.com What Could Go Wrong? Make sure your Log settings for Remote Server are all correct. CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. 461/749...
Page 462: How To Setup And Send Logs To A Vantage Reports Server
www.zyxel.com How to Setup and send logs to a Vantage Reports Server This example shows how to set up the Vantage Report Server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to Vantage Report Server. When the Vantage Report Server is configured, you will receive the real time system logs.
Page 463: Set Up The Vrpt Server
www.zyxel.com Set Up the VRPT Server 1. The Vantage Report server must have register an account in http://www.myZyXEL.com. 2. Install VRPT software: http://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=M-01 339&md=VRPT 4. Unzipped the file and click Vantage Reeport.exe to start installing Vantage Report. Then, the Vantage Report installation wizard appears. Click Next. 5.
Page 464 www.zyxel.com Check if any applications also use port 3316 (TCP), 514 (UDP) or 8080 (UDP) by entering “netstat -a” into the command line. Uninstall them if any. Click OK. When you finish installing Vantage Report, restart the Vantage Report server. 7.
Page 465 www.zyxel.com Go to Dashboard > License Information > Manage Device, click Add Device, the Add Device screen appears on the left side. Enter the Name of the device you want to add to Vantage Report. Enter the LAN MAC address of the device you want to add.
Page 466: Set Up The Zywall/Usg Remote Server Setting
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be VRPT/Syslog. Type the Server Address to be the Vantage Report server IP address (10.251.30.61 in this example).
Page 467: What Could Go Wrong
www.zyxel.com VRPT Server > Logs > Log Viewer What Could Go Wrong? Make sure your Log settings for Remote Server are all correct. CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. 467/749...
Page 468: How To Setup And Send Logs To The Usb Storage
www.zyxel.com How to Setup and send logs to the USB storage This example shows how to use the USB device to store the system log information. ZyWALL/USG enable and send logs to the USB storage Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system.
Page 469: Set Up The Usb System Settings
www.zyxel.com Set Up the USB System Settings Go to CONFIGURATION > System > USB Storage > Settings > General. Select Activate USB storage service if you want to use the connected USB device(s). Set a number and select a unit (MB or %) to have the ZyWALL/USG send a warning message when the remaining USB storage space is less than the value you set here.
Page 470: Check The Usg Log Files
www.zyxel.com Go to CONFIGURATION > Log & Report > Log Settings > USB Storage > Edit. Select Duplicate logs to USB storage (if ready) to have the ZyWALL/USG save a copy of its system logs to a connected USB storage device. Use the Selection drop-down list to change the log settings for all of the log categories.
Page 471: How To Activate A Free Access Hotspot
www.zyxel.com How to Activate a Free Access Hotspot Some hotels need to provide free Internet services to hundreds of guests on a daily basis, and managing the Internet access for so many people can be very complicated without the right equipment. With web authentication methods such as user agreement and web portal, hotel guests are redirected to a web-based authentication portal upon the first attempt to access the network.
Page 472: Set Up The Free Access Hotspot
www.zyxel.com Configuration Guide Network Conditions  WAN: 10.251.31.112  LAN 1: 192.168.1.1/255.255.255.0  User’s laptop: 192.168.1.33 Set up the Free Access Hotspot Configurations on the USG1100 The user agreement of this feature allows clients to access the Internet without a guest account.
Page 473 www.zyxel.com 2. Go to Configuration > Hotspot > Advertisement. (1) Select Enable Advertisement. (2) Add the URL of the website that you want to advertise. 473/749...
Page 474: Test The User Agreement And Advertisement Webpage
www.zyxel.com Test the User Agreement and Advertisement Webpage 1. When a client attempts to access the Internet via a browser, he/she will be redirected to the user agreement page. 2. The advertisement webpage will be displayed in a new window and it is the first page that appears whenever the user connects to the Internet.
Page 475: What Could Go Wrong
www.zyxel.com What could Go Wrong? If users can access the internet without any Authentication, please make sure the Source Address is configured on the correct the subnet. For example, if you want users to be controlled via authentication in Subnet 192.168.1.0/24, you need to make sure the Source Address should be 192.168.1.0/24 475/749...
Page 476: Set Up Enable The Free Time Feature
www.zyxel.com Set up Enable the Free Time Feature Configurations on the USG1100 On the USG1100, you need to enable the SMS service and select SMS as the delivery method in the Free Time feature. 1. Register for a ViaNett account at http://www.vianett.com.
Page 477 www.zyxel.com 3. After the form has been submitted, the account information will be sent to your E-mail address. 477/749...
Page 478 www.zyxel.com 4. Enter the activation code and proceed to make the payment. 5. Fill-in the credit card information to complete the payment. 478/749...
Page 479 www.zyxel.com The payment is complete. 6. After the ViaNett account is ready, go to the USG1100’s Configuration > Hotspot > SMS screen. (1)Enable SMS. (2)Fill-in your local phone country code as the default country code. 479/749...
Page 480 www.zyxel.com (3) Add authentication policy for every source. 7. Go to Configuration > Hotspot > Free Time. (1) Select Enable Free Time and set up the free time period. By default, the Reset Time is at AM 00:00. You can also set up how many times a MAC address can access the Internet.
Page 481: Test Free Time Feature
www.zyxel.com 9. Select Enable Policy, Force User Authentication, and then select default-web-portal as the Authentication Type. Test Free Time Feature 1. The user will be redirected to the Login screen before he/she is permitted to access the Internet. Click on the link to get a free account. 481/749...
Page 482 www.zyxel.com Select Free Time as the service plan. Then submit your country code and mobile phone number. 3. The account and password will be sent to your mobile phone. 482/749...
Page 483 www.zyxel.com 4. Check your account information. 5. Fill-in the account information received on your mobile phone and click Login. 483/749...
Page 484: What Can Go Wrong
www.zyxel.com 6. Now the client can start accessing the Internet. What Can Go Wrong? If client cannot get the SMS message from ViaNett, please make sure the Country code, Username and Password are all correct. 484/749...
Page 485 www.zyxel.com 485/749...
Page 486: How To Setup Ipv6 Interfaces For Pure Ipv6 Routing
www.zyxel.com How to Setup IPv6 Interfaces for Pure IPv6 Routing This example shows how to configure your USG Z’s WAN and LAN interfaces which connects two IPv6 networks. USG Z periodically advertises a network prefix of 2006:1111:1111:1111::/64 to the LAN through router advertisements. ZyWALL/USG access the internet via IPv6 Note: Instead of using router advertisement, you can use DHCPv6 to pass the...
Page 487: Setting Up The Ipv6 Interface
www.zyxel.com Setting Up the IPv6 Interface 1. In the CONFIGURATION > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. 2. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Select Enable Auto-Configuration. Click OK. Note: Your ISP or uplink router should enable router advertisement.
Page 488 www.zyxel.com 3. Using command line ipconfig to check. 488/749...
Page 489: Set Up The Prefix Delegation And Router Advertisement
www.zyxel.com Set up the Prefix Delegation and Router Advertisement This example shows how to configure prefix delegation on the ZyWALL’s WAN and router advertisement on the LAN. Apply a network Prefix From Your ISP First of all, you have to apply a network prefix from your ISP or the uplink router’s administrator.
Page 490 www.zyxel.com Click Add in the DHCPv6 Request Options table and select the DHCPv6 request object you just created. You cannot see the prefix your ISP gave you in the Value field until you click OK and then come back to this screen again. It is 2001:b050:2d::/48 in this example. Note: Your ISP or a DHCPv6 server in the same network as the WAN should assign an IPv6 IP address for the WAN interface.
Page 491 www.zyxel.com Setting Up the WAN IPv6 Interface 1. In the Configuration > Network > Interface > Ethernet screen, double-click the lan interface in the IPv6 Configuration section. 2. The Edit Ethernet screen appears. Click Show Advanced Settings to display more settings on this screen.
Page 492 www.zyxel.com Address field. (The combined prefix 2001:b050:2d:1111::/64 will display for the LAN1’s network prefix after you click OK and come back to this screen again). 492/749...
Page 493: Test
www.zyxel.com Test 1. Connect a computer to the ZyWALL’s LAN interface. 2. Enable IPv6 support on you computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel >...
Page 494 www.zyxel.com 3. If the Value field in the WAN1’s DHCPv6 Request Options table displays n/a, contact your ISP for further support. 4. In Windows, some IPv6 related tunnels may be enabled by default such as Teredo and 6to4 tunnels. It may cause your computer to handle IPv6 packets in an unexpected way.
Page 495: Test
www.zyxel.com Test You can use command “netsh interface ipv6 show dnsservers” to check the DNS server IP. 495/749...
Page 496: How To Perform And Use The Packet Capture Feature On The Zywall/Usg
www.zyxel.com How to Perform and Use the Packet Capture Feature on the ZyWALL/USG This example shows how to use the Packet Capture feature to capture network traffic going through the ZyWALL/USG’s interfaces. Studying these packet captures may help you identify network problems. ZyWALL/USG Packet Capture Feature Settings Note: New capture files overwrite existing files of the same name.
Page 497: Set Up The Packet Capture Feature
www.zyxel.com Set Up the Packet Capture Feature Go to MAINTENANCE > Diagnostics > Packet Capture > Capture > Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list. Go to MAINTENANCE >...
Page 498 www.zyxel.com 10 Go to MAINTENANCE > Diagnostics > Packet Capture > Capture > Misc setitng. Select Continuously capture and overwrite old ones to have the ZyWALL/USG keep capturing traffic and overwriting old packet capture entries when the available storage space runs out. Select Save data to onboard storage only or Save data to USB storage (If status shows service deactivated, go to CONFIGURATION >...
Page 499: Check The Capture Files
www.zyxel.com Check the Capture Files Go to MAINTENANCE > Diagnostics > Packet Capture > Files, select the .cap file and click Download. 499/749...
Page 500 www.zyxel.com Open .cap files with Wireshark 500/749...
Page 501: How To Automatically Reboot The Zywall/Usg By Schedule
www.zyxel.com How to Automatically Reboot the ZyWALL/USG by Schedule This example shows how to use shell script and schedule run to reboot device automatically for maintenance purpose. ZyWALL/USG Auto Schedule Reboot Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.25). 501/749...
Page 502: Set Up The Shell Script
www.zyxel.com Set Up the Shell Script Run Windows Notepad application and input below command: Save this file as "reboot_device.zysh" In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the reboot_device.zysh file. Click Upload to begin the upload process. 502/749...
Page 503: Set Up The Schedule Run
www.zyxel.com Set Up the Schedule Run Login the device via console/telnet/SSH (using PuTTY in this example) Issuing below commands based on three different (daily, weekly and monthly) user scenarios: a. Router(config)# schedule-run 1 reboot_device.zysh daily 10:00 (The device will reboot at 10:00 everyday) 503/749...
Page 504: Check The Reboot Status
www.zyxel.com b. Router(config)# schedule-run 1 reboot_device.zysh weekly 10:00 sun (The device will reboot at 10:00 every Sunday) c. Router(config)# schedule-run 1 reboot_device.zysh monthly 10:00 23 (The device will reboot at 10:00 every month on 23th) Check the Reboot Status Login the device via console/telnet/SSH (using PuTTY in this example), the reboot runs as scheduled 504/749...
Page 505 www.zyxel.com Figure Putty Go to DASHBOARD > System Status, check System Uptime, Current Date/Time and Boot Status. Figure DASHBOARD > System Status 505/749...
Page 506: How To Schedule Youtube Access
www.zyxel.com How To Schedule YouTube Access This is an example of using the ZyWALL/USG UTM Profile and Security Policy to control access to the network. If an application should not have network access during certain hours, you can use Application Patrol, SSL Inspection and Schedule settings to make sure that these applications cannot access the Internet.
Page 507: Create The Application Objects On The Zywall/Usg
www.zyxel.com Create the Application Objects on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object. CONFIGURATION >...
Page 508: Set Up The Application Patrol Profile On The Zywall/Usg
www.zyxel.com Set Up the Application Patrol Profile on the ZyWALL/USG Go to CONFIGURATION > UTM Profile > App Patrol > Add rule, configure a Name for you to identify the App Patrol profile. Then, go to the Profile Management and click Add to configure profile General Settings.
Page 509: Set Up Ssl Inspection On The Zywall/Usg
www.zyxel.com Set Up SSL Inspection on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > SSL Inspection > Add rule, configure a Name for you to identify the SSL Inspection profile. Then, select the CA Certificate to be the certificate used in this profile. Select Block select Log type to be log alert.
Page 510: Export Certificate From Zywall/Usg And Import It To Windows 7 Operation System
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. 510/749...
Page 511 www.zyxel.com Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example). CONFIGURATION > Object > Certificate > default CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key Save default certificate as *.p12 file to Windows 7 Operation System.
Page 512 www.zyxel.com In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window.
Page 513 www.zyxel.com Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next, Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next.
Page 514 www.zyxel.com Click Next, type zyx123 in the Password field and click Next again Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. 514/749...
Page 515 www.zyxel.com Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to the default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 516: Test The Result
www.zyxel.com Test the Result Type http://www.youtube.com/ or https://www.youtube.com/ into the browser. An error message occurs. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. What Could Go Wrong? If you are not be able to configure any Application Patrol policies or it’s not working, there are two possible reasons: You have not subscribed for the Application Patrol service.
Page 517 www.zyxel.com the portal page (https://portal.myzyxel.com/) to register or extend your Application Patrol license. After you apply the Application Patrol service, the running session will continue till it’s finished. 517/749...
Page 518: How To Continuously Run A Zysh Script
www.zyxel.com How to continuously run a ZySH script This example shows how to use shell script and continuously run a ZySH script automatically for maintenance purpose. ZyWALL/USG continuously run a ZySH script Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.25). 518/749...
Page 519: Set Up The Shell Script
www.zyxel.com Set Up the Shell Script Run Windows Notepad application and input below command: Save this file as "disable_firewall.zysh" Run Windows Notepad application and input below command: Save this file as "enable_firewall.zysh" 519/749...
Page 520: Set Up The Schedule Run
www.zyxel.com In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the disable_firewall.zysh and enable_firewall.zysh file. Click Upload to begin the upload process. Set Up the Schedule Run Login the device via console/telnet/SSH (using PuTTY in this example) 520/749...
Page 521: Check The Result
www.zyxel.com Issuing below commands: Router> configure terminal Router(config)# schedule-run 1 disable_firewall.zysh daily 01:00 Check the Result In the ZyWALL/USG, go to DASHBOARD. Refresh the Secure Service Status, the Security Policy Control is disabled at 1:00. DASHBOARD 521/749...
Page 522 www.zyxel.com In the ZyWALL/USG, go to DASHBOARD. Refresh the Secure Service Status, the Security Policy Control is enabled at 2:00. DASHBOARD 522/749...
Page 523: How To Register Your Device And Services At Myzyxel.com
www.zyxel.com How To Register Your Device and Services at myZyXEL.com myZyXEL.com is ZyXEL’s online services center where you can register your ZyXEL device and manage subscription services available for the device. To update signature files or use a subscription service, you have to register the device and activate the corresponding service at myZyXEL.com.
Page 524: Account Creation
www.zyxel.com Account Creation After you click the link from the Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/), the Sign In screen displays. CONFIGURATION > Licensing > Registration Click Not a Member Yet to open the Sign Up screen where you can create an account.
Page 525 www.zyxel.com Select Registration Type to create an Individual account or a Business account. Individual account is for non-commercial, end user of ZyXEL products. Business account is for commercial users; VAT # is required (the requirement varies in selection of different countries) myZyXEL.com >...
Page 526: Device Registration
www.zyxel.com After you click Submit, myZyXEL.com 2.0 will send you an account activation notification e-mail. Click the URL link from the e-mail to activate your account and log into myZyXEL.com 2.0. After E-mail activate, sign in myZyXEL.com 2.0 to register or mange your devices and services.
Page 527: Service Registration (In The Case Of Standard License)
www.zyxel.com If you access myZyXEL.com from the Registration screen of your ZyXEL device’s Web Configurator, the device MAC Address and Serial Number displays automatically. Service Registration (In the Case of Standard License) Click Service Registration in the navigation panel to open the screen. Fill in the License Key as shown on E-iCard License.
Page 528: Device Management (In The Case Of Registering Bundled Licenses)
www.zyxel.com Go to the Service Management page and click the Link button. Select the device then click the Activate button to initiate the services license. You will get a Service Activation Notice Email when you activate a new service. Device Management (In the Case of Registering Bundled Licenses) Go to Device Management and click on the MAC Address hyper link of your device.
Page 529: Refresh Service
www.zyxel.com Refresh Service After service activated, please go to the ZyWALL/USG CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the Status. What Could Go Wrong? If you can’t activate your device’s service license, please check if you entered a correct license key.
Page 530 www.zyxel.com If you forget your registered email address on myZyXEL.com, please go to the link below and submit a request to ZyXEL support team for further support: http://www.zyxel.com/form/Support_Feedback.shtml 530/749...
Page 531: How To Exempt Specific Users From Security Control
www.zyxel.com How To Exempt Specific Users From Security Control This is an example of using a ZyWALL/USG Security Policy to exempt three corporate executives from security control, while controlling Internet access for other employees’ accounts. Exempt Specific Users from Security Control Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 532: Set Up The Security Policy On The Zywall/Usg For Employees
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Employees In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address range for employees. CONFIGURATION > Object > Address > Add Address Rule Set up Security Policy for employees, go to CONFIGURATION >...
Page 533: Set Up The Security Policy On The Zywall/Usg For Executives
www.zyxel.com non-productive services, such as Advertisement & Pop-Ups, Gambling and Peer to Peer services…etc.). CONFIGURATION > Security Policy > Policy Control > Add corresponding > Employees_Security Set Up the Security Policy on the ZyWALL/USG for Executives In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > Add A User to create User Name/Password for each executive.
Page 534 www.zyxel.com Then, go to CONFIGURATION > Object > User/Group > Group > Add Group to create a Group Members’ Name and move the just created executives user object to Member. CONFIGURATION > Object > Address Group > Add Address Group Rule 534/749...
Page 535 www.zyxel.com Set up Security Policy for executives, go to CONFIGURATION > Security Policy > Policy Control > Add corresponding, configure a Name for you to identify the executives’ Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies.
Page 536: Test The Result
www.zyxel.com Test the Result Connect to the Internet from two computers: one from executive_1 and one from an employee address (192.168.30.9). 536/749...
Page 537: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. In this example result, a connection from executive_1 has user login message and always with ACCESS FORWARD information. A connection from employee address (192.168.30.9) and some of the services are with ACCESS BLOCK information Monitor >...
Page 538: How To Detect And Prevent Tcp Port Scanning With Adp
www.zyxel.com How To Detect and Prevent TCP Port Scanning with ADP This is an example of using a ZyWALL/USG ADP (Anomaly Detection and Prevention) Profile to protect against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal traffic flows such as port scans.
Page 539: Set Up The Adp Profile On The Zywall/Usg
www.zyxel.com Set Up the ADP Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > ADP > Profile, click the Add icon. A pop-up screen will appear allowing you to choose a base profile. Select a base profile to go to the profile details screen. CONFIGURATION >...
Page 540 www.zyxel.com Click the Protocol Anomaly tab. A Name is automatically generated that you can edit. Enable or disable individual rules by selecting a row and clicking Activate or Inactivate. Edit the default log options and actions by selecting a row and making a selection in the Log or Action drop-down menus.
Page 541 www.zyxel.com CONFIGURATION > Security Policy > ADP > Profile > Base Profile > Protocol Anomaly Go to CONFIGURATION > Security Policy > ADP > General, select Enable Anomaly Detection and Prevention. Then, select the just created Anomaly Profile and click Apply.
Page 542: Test The Result
www.zyxel.com Test the Result Download Nmap free security scanner for testing the result: https://nmap.org/download.html Open the Nmap GUI, set the Target to be the WAN IP of ZyWALL/USG (172.124.163.150 in this example) and set Profile to be Intense Scan. Click Scan. Go to the ZyWALL/USG Monitor >...
Page 543: What Could Go Wrong
www.zyxel.com What Could Go Wrong? You may find that certain rules are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the ZyWALL/USG. As each network is different, false positives and false negatives are common on initial ADP deployment.
Page 544: How To Block Facebook
www.zyxel.com How To Block Facebook This is an example of using a ZyWALL/USG UTM Profile in a Security Policy to block access to a specific social network service. You can use Content Filter, SSL Inspection and Policy Control to make sure that a certain web page cannot be accessed through both HTTP and HTTPS protocols.
Page 545: Set Up The Content Filter On The Zywall/Usg
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Custom Service. Configure a Name for you to identify the Content Filter Profile and select Enable Custom Service. CONFIGURATION >...
Page 546: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Then, select the CA Certificate to be the certificate used in this profile. Select Block to Action for Connection with SSL v2 and select Log type to be log alert. Leave other actions as default settings. CONFIGURATION > UTM Profile > SSL Inspection > Add rule Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 547 www.zyxel.com 547/749...
Page 548: Export Certificate From Zywall/Usg And Import It To Windows 7 Operation System
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 549 www.zyxel.com In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter. Start Menu > Search Box > mmc In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... 549/749...
Page 550 www.zyxel.com In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window. Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate >...
Page 551 www.zyxel.com Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. 551/749...
Page 552 www.zyxel.com Click Next, type zyx123 in the Password field and click Next again Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. 552/749...
Page 553: Test The Result
www.zyxel.com Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 554: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons: You have not subscribed for the Content Filter service.
Page 555: How To Exempt Specific Users From A Blocked Website
www.zyxel.com How To Exempt Specific Users From a Blocked Website This is an example of using a ZyWALL/USG Security Policy to exempt three corporate executives from a blocked Website, while controlling Internet access for other employees’ accounts. With executives connect to a blocked Website using PCs with static IP addresses, you could set up address group to allow their traffic.
Page 556: Set Up The Security Policy On The Zywall/Usg For Employees
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Employees In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address range for employees. CONFIGURATION > Object > Address > Add Address Rule Set up Security Policy for employees, go to CONFIGURATION >...
Page 557: Set Up The Security Policy On The Zywall/Usg For Executives
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG for Executives In the ZyWALL/USG, go to CONFIGURATION > Object > Address > Add Address Rule to create address for each executives. CONFIGURATION > Object > Address > Add Address Rule 557/749...
Page 558 www.zyxel.com Then, go to CONFIGURATION > Object > Address Group > Add Address Group Rule to create a Group Members’ Name and move the just created executives address object to Member. CONFIGURATION > Object > Address Group > Add Address Group Rule Set up Security Policy for executives, go to CONFIGURATION >...
Page 559 www.zyxel.com policy applies. Select Source to be the Executives to apply the policy to all traffic coming from them. In order to view the results later, to have the ZyWALL/USG generate Log matched traffic (log). Leave all UTM Profiles disabled. CONFIGURATION >...
Page 560: Test The Result
www.zyxel.com Test the Result Connect to the Internet from two computers: one from executive_2 address (192.168.10.2) and one from an employee address (192.168.20.1) and both access to https://hangouts.google.com/. Go to the ZyWALL/USG Monitor > Log, you will see [notice] and [info] log message such as below.
Page 561: How To Control Access To Google Drive
www.zyxel.com How To Control Access To Google Drive This is an example of using a ZyWALL/USG UTM Profile in a Security Policy to block access to a specific file transfer service. You can use Application Patrol and Policy Control to make sure that a certain file transfer service cannot be accessed through both HTTP and HTTPS protocols.
Page 562: Set Up The Application Patrol On The Zywall/Usg
www.zyxel.com Set Up the Application Patrol on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object. CONFIGURATION >...
Page 563 www.zyxel.com In the General Settings, select Application name of the policy (Google_Drive_Control in this example). Select Action to be drop or reject that the ZyWALL/USG will drops packets that matches these signatures without or with notification. Select desired Log type whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches a signature in this category.
Page 564: Set Up The Ssl Inspection On The Zywall/Usg
www.zyxel.com Set Up the SSL Inspection on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > SSL Inspection > Add rule, configure a Name for you to identify the SSL Inspection profile. Then, select the CA Certificate to be the certificate used in this profile. Select Block select Log type to be log alert.
Page 565: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Facebook_Block in this example).
Page 566: Export Certificate From Zywall/Usg And Import It To Windows 7 Operation System
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 567 www.zyxel.com In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter. Start Menu > Search Box > mmc In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... 567/749...
Page 568 www.zyxel.com In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window. Available snap-ins > Certificates > Add In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate >...
Page 569 www.zyxel.com Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. Click Next, type zyx123 in the Password field and click Next again Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities.
Page 570: Test The Result
www.zyxel.com Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 571: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any Application Patrol policies or it’s not working, there are two possible reasons: You have not subscribed for the Application Patrol service.
Page 572: How To Block Https Websites Using Content Filtering And Ssl Inspection
www.zyxel.com How To Block HTTPS Websites Using Content Filtering and SSL Inspection This is an example of using a ZyWALL/USG Content Filtering, SSL Inspection and Security Policy to block access to malicious or not business-related websites. ZyWALL/USG with Block HTTPS Websites Using Content Filtering and SSL Inspection Settings Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 573: Set Up The Content Filter On The Zywall/Usg
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Category Service. Configure a Name for you to identify the Content Filter Profile and select Enable Custom Service. CONFIGURATION >...
Page 574: Set Up Ssl Inspection On The Zywall/Usg
www.zyxel.com If you are not sure which category a web page belongs to, you can enter a web site URL in the text box of Test Web Site Category. CONFIGURATION > UTM Profile> Content Filter > Profile > Profile Management > Add Filter File >...
Page 575: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Select desired Log type whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches this policy. CONFIGURATION > UTM Profile > SSL Inspection > Add rule Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 576: Export Certificate From Zywall/Usg And Import It To Windows 7 Operation System
www.zyxel.com Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
Page 577 www.zyxel.com CONFIGURATION > Object > Certificate > default CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key Save default certificate as *.p12 file to Windows 7 Operation System. default.p12 In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter.
Page 578 www.zyxel.com In the mmc console window, click File > Add/Remove Snap-in... File > Add/Remove Snap-in... In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window.
Page 579 www.zyxel.com In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import… Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next. 579/749...
Page 580 www.zyxel.com Click Next, type zyx123 in the Password field and click Next again Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish. 580/749...
Page 581: Test The Result
www.zyxel.com Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Page 582: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log to see [alert] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons: You have not subscribed for the Content Filter service.
Page 583: How To Block The Spotify Music Streaming Service
www.zyxel.com How To Block the Spotify Music Streaming Service This is an example of using a ZyWALL/USG IDP Profile to block DNS query packet. When the Spotify software launches, it will send a DNS query for Spofity's public server. In this example, you can create a custom IDP to block DNS query packet if this packet includes the Spotify signature.
Page 584: Set Up Idp Profile On The Zywall/Usg
www.zyxel.com Set Up IDP Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > IDP > Custom Signatures > Add Custom Signatures, configure a Name for you to identify the IDP Profile. Select medium as the Severity level. Select all Platform. Select Policy Type to be Access-Control here to limit access network resources such as servers.
Page 585: Test The Result
www.zyxel.com CONFIGURATION > UTM Profile > IDP > Profile > Base Profile Configure a Name for you to identify the IDP Profile. Activate the newly created IDP Profile and select Action to be drop. Select Log type to be log alert in order to view the result later.
Page 586: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [crit] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to configure any IDP policies or it’s not working, there are two possible reasons: You have not subscribed for the IDP service.
Page 587: How To Test The Eicar Anti-Virus Test File
www.zyxel.com How To Test the EICAR Anti-Virus Test File This is an example of using a ZyWALL/USG Anti-Virus Profile to against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal traffic flows such as port scans. ZyWALL/USG with Anti-Virus Setting and EICAR Test Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 588: Set Up The Anti-Virus Profile On The Zywall/Usg
www.zyxel.com Set Up the Anti-Virus Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Virus > Profile > Profile Management > Add rule, configure a Name for you to identify the Anti-Virus Profile. Select Log type to be log alert in order to view the result later. CONFIGURATION >...
Page 589: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Anti-Virus and select a profile from the list box (EICAR in this example).
Page 590: Test The Result
www.zyxel.com Test the Result Download EICAR Malware File for testing the result: http://www.eicar.org/85-0-Download.html 590/749...
Page 591: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log to see [crit] log message such as below. Monitor > Log What Could Go Wrong? If you are not able to see the Log message, the EICAR virus file might be detected and blocked by other Anti-Virus software before ZyWALL/USG scans the virus file.
Page 592: How To Block Downloading Of Doc, Pdf, Xls And Zip Files
www.zyxel.com How To Block Downloading of DOC, PDF, XLS and ZIP Files This is an example of using a ZyWALL/USG UTM Profile to block accessing and downloading files from a FTP or HTTP server. Use the Anti-Virus Black List to set up the blocked list of file patterns to restrict accessing and downloading of certain files.
Page 593: Set Up The Anti-Virus Profile On The Zywall/Usg
www.zyxel.com Set Up the Anti-Virus Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Virus > Black/White List > Black List, click the Add icon. Use wildcards (*) to configure File Pattern. CONFIGURATION > UTM Profile > Anti-Virus > Black/White List > Black List > Add rule Go to CONFIGURATION >...
Page 594 www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Virus > Profile > Profile Management > Add rule and configure a Name for you to identify the Anti-Virus Profile. Select Log type to be log alert in order to view the result later. Make sure you select Check Black List and click OK.
Page 595: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Anti-Virus and select a profile from the list box (Block_FTP_HTTP_Download in this example).
Page 596: Test The Result
www.zyxel.com Test the Result When you download a PDF file from the HTTP server, the browser will display: Failed to load PDF document. 596/749...
Page 597: What Could Go Wrong
www.zyxel.com When you download a PDF file from the FTP server, the browser won’t be able to display content. Go to the ZyWALL/USG Monitor > Log to see [info] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to If you are not be able to configure any Anti-Virus policies or it’s not working, there are two possible reasons: 597/749...
Page 598 www.zyxel.com You have not subscribed for the Anti-Virus service. You have subscribed for the Anti-Virus service but the license is expired. You can click the link from the CONFIGURATION > Licensing > Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/) to register or extend your Anti-Virus license.
Page 599: How To Configure An Anti-Spam Policy With Mail Scan And Dnsbl
www.zyxel.com How To Configure an Anti-Spam Policy with Mail Scan and DNSBL This is an example of using ZyWALL/USG UTM Profile to mark or discard spam (unsolicited commercial or junk e-mail). Use the Anti-Spam white list to identify legitimate e-mail. Use the Anti-Spam black list to identify spam e-mail. The ZyWALL/USG can also check e-mail against a DNS Black List (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Page 600: Set Up The Anti-Spam Profile On The Zywall/Usg
www.zyxel.com Set Up the Anti-Spam Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Spam> Profile > Profile Management > Add rule, configure a Name for you to identify the Anti-Spam profile. Select from the list of available Scan Options and desired Log type whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches this policy.
Page 601 www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Spam> Mail Scan. Select Enable Sender Reputation Checking (SMTP only) to have the ZyWALL/USG scan for spam e-mail by IP Reputation. Select Enable Mail Content Analysis to identify Spam Email by content, such as malicious content. Select Enable Virus Outbreak Detection to Leave Query Timeout Settings to scan viruses attached in emails.
Page 602 www.zyxel.com In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > Anti-Spam> Black/White List > Black List > General Settings, select Enable Black List Checking to have the ZyWALL/USG treat e-mail that matches (an active) black list entry as spam. CONFIGURATION >...
Page 603: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Scroll down to UTM Profile, select Anti-Virus and select a profile from the list box (Anti_Spam_Check in this example).
Page 604: Test The Result
www.zyxel.com Test the Result Send the mail subject with “sell”. You will receive the mail subject with [Spam] tag. 604/749...
Page 605: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If you are not be able to If you are not be able to configure any Anti-Spam policies or it’s not working, there are two possible reasons: You have not subscribed for the Anti- Spam service.
Page 606: How To Configure Bandwidth Management For Ftp And Http Traffic
www.zyxel.com How to Configure Bandwidth Management for FTP and HTTP Traffic This is an example of using ZyWALL/USG Bandwidth Management (BWM) to control the bandwidth allocation for FTP and HTTP traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions to allocate bandwidth for the matching packets.
Page 607: Set Up The Bandwidth Management For Ftp On The Zywall/Usg
www.zyxel.com Set Up the Bandwidth Management for FTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type FTP Any-to-WAN as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be wan1.
Page 608: Set Up The Bandwidth Management For Http On The Zywall/Usg
www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management for HTTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type HTTP Any-to-WAN as the policy’s Description (Optional).
Page 609 www.zyxel.com Leave the Incoming Interface to any and select the Outgoing Interface to be wan1. Select Service Type to be the Service Object and select HTTP from the list box. Set the Guaranteed Bandwidth Inbound to 600 (kbps) and set higher Priority 3. Set the Maximum to 800 (kbps).
Page 610: Set Up The Bandwidth Management Global Setting On The
www.zyxel.com Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management Global Setting on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > BWM Global Setting, select Enable. CONFIGURATION > BWM > BWM Global Setting Test the Result Access the Internet to generate FTP traffic and HTTP traffic.
Page 611: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. Monitor > Log What Could Go Wrong? If the “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface. “Inbound” refers to the reverse direction.
Page 612: How To Limit Bittorrent Or Other Peer-To-Peer Traffic
www.zyxel.com How to Limit BitTorrent or Other Peer-to-Peer Traffic This is an example of using ZyWALL/USG Bandwidth Management (BWM) to control the bandwidth allocation for peer-to-peer traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions to allocate bandwidth for the matching packets.
Page 613: Set Up The Application Patrol Profile On The Zywall/Usg
www.zyxel.com Set Up the Application Patrol Profile on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > Application > Add Application Rule. Configure a Name for you to identify the Application Profile. Then, click Add to create an Application Object. CONFIGURATION >...
Page 614: Set Up The Bandwidth Management For Bittorrent On The Zywall/Usg
www.zyxel.com Set Up the Bandwidth Management for BitTorrent on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type BitTorrent Any-to-Any as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be wan1.
Page 615 www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Management, the highest priority is (1) the lowest priority is (7). 615/749...
Page 616: Set Up The Bandwidth Management Global Setting On The Zywall/Usg
www.zyxel.com Set Up the Bandwidth Management Global Setting on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > BWM Global Setting, select Enable. CONFIGURATION > BWM > BWM Global Setting Test the Result Download BitTorrent application for testing the result: http://www.bittorrent.com/downloads In this example, an 826 MB file is downloading, the Down Speed limited to maximum 65 kB/s.
Page 617: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If the “outbound” in the guaranteed bandwidth settings apply to traffic going from the connection initiator to the outgoing interface. “Inbound” refers to the reverse direction. Make sure you have registered the Application Patrol service on the ZyWALL/USG to use Application Object as the Service Type in the bandwidth management rules.
Page 618: How To Configure A Trunk For Wan Load Balancing With A Static Or Dynamic Ip Address
www.zyxel.com How to Configure a Trunk for WAN Load Balancing with a Static or Dynamic IP Address This is an example of using ZyWALL/USG Trunk for two WAN connections to the Internet. The available bandwidth for the connections is 1000 kbps (wan1 with static IP address) and 512 Kbps (wan2 with dynamic IP address) respectively.
Page 619: Set Up The Available Bandwidth On Wan1 Interfaces On The Zywall/Usg
www.zyxel.com Set Up the Available Bandwidth on WAN1 Interfaces on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Interface > Ethernet > WAN1 > Egress Bandwidth and enter the available bandwidth (1000 kbps) in the Egress Bandwidth field. Click OK. CONFIGURATION >...
Page 620: Set Up The Available Bandwidth On Wan2 Interfaces On The Zywall/Usg
www.zyxel.com Set Up the Available Bandwidth on WAN2 Interfaces on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Interface > Ethernet > WAN2 > Egress Bandwidth and enter the available bandwidth (512 kbps) in the Egress Bandwidth field. Click OK. CONFIGURATION >...
Page 621: Test The Result
www.zyxel.com CONFIGURATION > Interface > Trunk > User Configuration > Add Trunk In the Configuration screen, go to Default WAN Trunk section, select User Configured Trunk and select the newly created Trunk from the list box. Click Apply. CONFIGURATION > Interface > Trunk > Default WAN Trunk Test the Result Browse any website to test the result.
Page 622: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If there is no traffic passing through either WAN1 or WAN2 interfaces, check that the Mode of both WAN1 & WAN2 should be Active. If a trunk is in Passive mode, the ZyWALL/USG will use this connection only when all of the connections set to Active mode are down.
Page 623: How To Configure Dns Inbound Load Balancing To Balance Dns Queries Among Interfaces
www.zyxel.com How to Configure DNS Inbound Load Balancing to balance DNS Queries Among Interfaces This is an example of using the ZyWALL/USG dynamically responding to DNS query messages with its least loaded interface’s IP address. The DNS query senders will then transmit packets to that interface instead of an interface that has a heavy load.
Page 624: Set Up The Dns Inbound Load Balancing On The Zywall/Usg
www.zyxel.com Set Up the DNS Inbound Load Balancing on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > DNS Inbound LB. Edit the Query Domain Name, set the Load Balancing Algorithm field to be the Least Load - Total.
Page 625: Set Up The Nat Rule On The Zywall/Usg
www.zyxel.com CONFIGURATION > Network > DNS Inbound LB Go to the Global Setting page to select Enable DNS Load Balancing. CONFIGURATION > Network > DNS Inbound LB Set Up the NAT Rule on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > NAT. Configure the Virtual Server to forward the traffic from WAN to Internal Server (192.168.1.33).
Page 626: Test The Result
www.zyxel.com CONFIGURATION > Network > NAT Test the Result Open the browser and query http://zyxel.for-our.info/. 626/749...
Page 627: What Could Go Wrong
www.zyxel.com Create a Security Policy in order to view the testing result. Set Destination to be the Internal Server IP address (192.168.1.33 in this example) and set Log type to be the Log Alert. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below.
Page 628: How To Manage Voice Traffic
www.zyxel.com How to Manage Voice Traffic This is an example of using Application Layer Gateway (ALG) to allow the SIP (Session Initiation Protocol) voice traffic through the ZyWALL/USG. To achieve high-quality voice transmissions, use ZyWALL/USG provides Bandwidth Management (BWM) function to effectively manage bandwidth according to flexible criteria.
Page 629: Set Up The Sip Alg On The Zywall/Usg
www.zyxel.com Set Up the SIP ALG on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > SIP > SIP Settings, select Enable SIP ALG, Enable SIP Transformations (optional), Restrict Peer to Peer Signaling Connection and Restrict Peer to Peer Media Connection. Make sure the SIP Signaling Port is configured the same as your VoIP phone SIP signaling port.
Page 630: Set Up The Bandwidth Management For P2P On The Zywall/Usg
www.zyxel.com Set Up the Bandwidth Management for P2P on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type P2P Any-to-WAN as the policy’s Description. Leave the Incoming Interface to any and select the Outgoing Interface to be WAN1.
Page 631: Set Up The Bandwidth Management For Ftp On The Zywall/Usg
www.zyxel.com CONFIGURATION > BWM > Configuration > Add Policy Note: In Bandwidth Shaping, the highest priority is (1) the lowest priority is (7). Set Up the Bandwidth Management for FTP on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > BWM > Configuration > Add Policy, select Enable and type FTP Any-to-Any as the policy’s Description.
Page 632 www.zyxel.com Leave the Incoming Interface to any and select the Outgoing Interface to be WAN1. Select Service Type to be the Service Object and select FTP from the list box. Set the Guaranteed Bandwidth Inbound to 150 (kbps) and set Priority 5. Set the Maximum to 200 (kbps).
Page 633: Test The Result
www.zyxel.com Test the Result Add a Security Policy rule to view the SIP log: CONFIGURATION > BWM > Configuration > Add Policy Dial Phone Number 1001 (192.168.10.2 in this example) from Phone Number 1002 (192.168.100.2 in this example), go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below.
Page 634: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, the voice traffic is blocked by the priority 1 Security Policy. The ZyWALL/USG checks the security policy in order and applies the first security policy the traffic matches. If the voice traffic matches a policy that comes earlier in the list, it may be unexpectedly blocked.
Page 635: How To Manage Zywall/Usg Configuration Files
www.zyxel.com How to Manage ZyWALL/USG Configuration Files This is an example of how to rename, download, copy, apply and upload configuration files. Once your ZyWALL/USG is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes.
Page 636: Rename The Configuration Files From The Zywall/Usg
www.zyxel.com Note: This example was using USG310 (Firmware Version: ZLD 4.25). Rename the Configuration Files from the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select the configuration file and click Rename. A pop-up screen will appear allowing you to edit the Target file name.
Page 637: Download The Configuration Files On The Zywall/Usg
www.zyxel.com Download the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select the configuration file and click Download to back up your configuration file from ZyWALL/USG to your computer. MAINTENANCE > File Manager > Configuration File Copy the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE >...
Page 638: Apply The Configuration Files On The Zywall/Usg
www.zyxel.com Apply the Configuration Files on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Configuration File, select a specific configuration file to have ZyWALL/USG use it. For example, select the system-default.conf file and click Apply to reset all of the ZyWALL/USG settings to the factory defaults.
Page 639: Upload The Configuration Files From The Zywall/Usg
www.zyxel.com A pop-up screen will appear allowing you to edit the Target file name. Select Immediately stop applying the configuration file and roll back to the previous configuration to get the ZyWALL/USG started with a fully valid configuration file as quickly as possible.
Page 640: What Could Go Wrong
www.zyxel.com Upload Configuration File, select Browse to upload a new or previously saved configuration file from your computer to your ZyWALL/USG. You cannot upload a configuration file named system-default.conf or lastgood.conf. If you upload startup-config.conf, it will replace the current configuration and immediately apply the new settings.
Page 641: How To Manage Zywall/Usg Firmware
www.zyxel.com How to Manage ZyWALL/USG Firmware This is an example of using ZyWALL/USG to check your current firmware version and upload firmware to the ZyWALL/USG. You can upload firmware to be the Running firmware or Standby firmware. ZyWALL/USG with Firmware Management Example Note: The firmware update can take up to five minutes.
Page 642: Download The Current Firmware Version From Zyxel.com
www.zyxel.com Download the Current Firmware Version from ZyXEL.com Go to www.zyxel.com/support/download_landing.shtml and download the current firmware package. Extract firmware zip file. 642/749...
Page 643: Upload The Firmware On The Zywall/Usg
www.zyxel.com Upload the Firmware on the ZyWALL/USG In the ZyWALL/USG, go to MAINTENANCE > File Manager > Firmware Package > Upload File. Click the To upload image file in system space pull-down menu and select (1) or (2). The default Standby system space is (2), so if you want to upload new firmware to be the Running firmware, then select the Running system space (1).
Page 644 www.zyxel.com MAINTENANCE > File Manager > Firmware Package > Upload File > (2) To upload firmware, click Browse to the location of the file (*.bin) and then click Upload. 644/749...
Page 645 www.zyxel.com Note: The default Running system space is (1), the Standby system space is (2). If you select the Standby firmware and click Reboot now or you upload file to Standby system space (2) and select Boot Options to be Reboot now. After reboot process complete, the Running system space will be (2).
Page 646: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you cannot download the firmware, please check if you enable the Destroy compressed files that could not be decompressed function in Anti-Virus. ZyWALL/USG firmware package is ZIP file, the ZyWALL/USG classifies the firmware package as not being able to decompress will delete it. Please disable this option while downloading the firmware package.
Page 647: How To Get Started Using The Wizards
www.zyxel.com How to Get Started Using the Wizards When you log into the Web Configurator for the first time or when you reset the ZyWALL/USG to its default configuration, the Installation Setup Wizard screen displays. This is an example of using ZyWALL/USG Wizards to configure Internet connection settings, wireless settings and device registration services.
Page 648 www.zyxel.com In the Internet Access page, you can configure Internet connections from two Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one. 648/749...
Page 649 www.zyxel.com Choose the Encapsulation option to be Ethernet, leave Zone as default setting Internet connection belongs to the WAN zone. In the IP Address Assignment section, select Auto if your ISP did not assign you a fixed IP address or select Static if your ISP did assign you a fixed IP address. Click Next.
Page 650 www.zyxel.com The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface or continue to the Wireless Settings page.
Page 651: Set Up The Internet Access (Pppoe) Wizard On The Zywall/Usg
www.zyxel.com Set Up the Internet Access (PPPoE) Wizard on the ZyWALL/USG In the ZyWALL/USG Installation Setup Wizard Welcome page, click Next to start configuring for Internet. Click the double arrow in the upper right corner to display (≪) or hide (≫) the help. Installation Setup Wizard >...
Page 652 www.zyxel.com Select the Authentication Type to be the authentication method by the remote node. Enter the User Name and Password exactly as given by your ISP or network administrator. Select Nailed-UP if you want to keep the connection always up or type the desired Idle Timeout value in seconds.
Page 653: Set Up The Internet Access (Pptp) Wizard On The Zywall/Usg
www.zyxel.com Next to configure the second WAN interface. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed Set Up the Internet Access (PPTP) Wizard on the ZyWALL/USG In the ZyWALL/USG Installation Setup Wizard Welcome page, click Next to start configuring for Internet.
Page 654 www.zyxel.com In the Internet Access page, you can configure Internet connections from two Internet service providers (ISPs). Connect your ISP devices to your ZyWALL/USG WAN port, select I have two ISPs if you want to configure two Internet connections or leave it cleared to configure just one. Choose the Encapsulation option to be the PPTP, leave Zone as default setting Internet connection belongs to the WAN zone.
Page 655 www.zyxel.com Select the Authentication Type to be the authentication method by the remote node. Enter the User Name and Password exactly as given by your ISP or network administrator. Select Nailed-UP if you want to keep the connection always up or type the desired Idle Timeout value in seconds.
Page 656: Set Up The Wireless Settings Wizard On The Zywall/Usg
www.zyxel.com The Internet Access Succeed page will display the summary of Internet access of the First Setting. If you select I have two ISPs in Internet Access > ISP Setting, click Next to configure the second WAN interface. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed Set Up the Wireless Settings Wizard on the ZyWALL/USG In the Wireless Settings page, select Yes if you want the ZyWALL/USG to enable AP Controller feature in your network;...
Page 657 www.zyxel.com Configure descriptive SSID name (1-32 characters) for the wireless LAN. Select Pre-Shared Key (8-63 characters) to add security on this wireless network. Otherwise, select None to allow any wireless client to associate this network without authentication. Select Hidden SSID to hide the SSID from site tool scanning. Select Enable Intra-BSS Traffic blocking if you want to prevent crossover traffic from within the same wireless network.
Page 658: Set Up The Device Registration On The Zywall/Usg
www.zyxel.com devices in the AP wireless network. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed > Wireless Settings Set Up the Device Registration on the ZyWALL/USG The ZyWALL/USG must be connected to the Internet in order to register. Click portal.myzyxel.com to register the device, you need the ZyWALL/USG’s serial number and LAN MAC address to register it.
Page 659 www.zyxel.com Services at myZyXEL.com for more details. Use the Configuration > Licensing > Registration > Service screen to update your service subscription status. Click Finish. Installation Setup Wizard > Welcome > Internet Access > Internet Access Succeed > Wireless Settings > Device Registration 659/749...
Page 660: How To Configure The 3G/Lte Interface On The Zywall/Usg As A Wan Backup
www.zyxel.com How to Configure the 3G/LTE Interface on the ZyWALL/USG as a WAN Backup This is an example of using ZyWALL/USG to configure 3G/LTE interface as a WAN backup that ensures the ZyWALL/USG provides the continuously Internet connections when the primary WAN interface is down. After configuration, it can provide additional mobile broadband WAN connectivity or a redundant link for maximum reliability.
Page 661: Set Up The 3G/Lte Interface On The Zywall/Usg
www.zyxel.com Set Up the 3G/LTE Interface on the ZyWALL/USG Connect a compatible mobile broadband USB device to use a cellular connection. In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Cellular, the connected device will automatically display in the Cellular Interface Summary. Click Activate and then the Apply button at the bottom of this page.
Page 662: Set Up The Trunk On The Zywall/Usg
www.zyxel.com Set Up the Trunk on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add Trunk, configure a Name for you to identify the Trunk profile and set the Load Balancing Algorithm field to be the Weighted Round Robin. Add wan1 and enter 3 in the Weight column.
Page 663: Test The Result
www.zyxel.com Test the Result Check the Interface Statistics when wan1 and wan2 connections are up. You can see both wan1 and wan2 Status are up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed; cellular1 Status is connected but there is no traffic going through this interface.
Page 664: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If there is no traffic going through cellular interface when other interfaces are down, please make sure you have a compatible mobile broadband device installed or connected. Go to http://www.zyxel.com/support/download_landing.shtml and see the 3G Dongle Document to check the compatible mobile broadband devices.
Page 665: How To Configure Two Different Wan Interfaces With Different Ip Addresses In The Same Vlan
www.zyxel.com How to Configure Two Different WAN Interfaces with Different IP Addresses in the Same VLAN This is an example of using ZyWALL/USG to configure two different WAN interfaces with different IP addresses in the same VLAN. After configuration, you can have the same VLAN ID for two different WAN interfaces.
Page 666: Set Up The Port Grouping On The Zywall/Usg
www.zyxel.com Set Up the Port Grouping on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Port Grouping, select the ports that you want to assign to a representative Interface (in this example, Port 4 and Port 5 are configured as ge5). CONFIGURATION >...
Page 667 www.zyxel.com In the Configuration page, select the vlan1 entry and click Create Virtual Interface on the upper bar. Configure the Fixed IP address (192.168.15.33/24 in this example). Click OK. CONFIGURATION > Network > Interface > VLAN > vlan1 CONFIGURATION > Network > Interface > VLAN > vlan1:1 667/749...
Page 668: Set Up The Routing On The Zywall/Usg
www.zyxel.com Set Up the Routing on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Routing, set Next-Hop Type to be Interface and set Interface to be the vlan1. CONFIGURATION > Network > Routing Test the Result Check the Interface Statistics, you can see vlan1 Status is up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed.
Page 669: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you cannot configure a particular VLAN interface on top of an Ethernet interface, please whether this VLAN has just been created on top of other Ethernet interface. 669/749...
Page 670: How To Let A Server Use The Same Public Ip Address As The Wan Interface Using The Bridge Interface
www.zyxel.com How to Let a Server Use the Same Public IP Address as the WAN Interface Using the Bridge Interface This is an example of using ZyWALL/USG to configure an internal server in bridge mode without applying network address translation (NAT). The Internet users can reach this server directly by its public IP address.
Page 671: Set Up The Bridge Interface On The Zywall/Usg
www.zyxel.com Set Up the Bridge Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Bridge > add Bridge, select Interface Type to be the general type, select Zone to be the LAN zone. In the Member Configuration, select internal server (IntServer1 interface in this example) and public IP address (Public WAN interface in this example) to be in the same member group.
Page 672: Test The Result
www.zyxel.com After creating the bridge interface, connect the server's network cable to IntServer1 port and set the server's IP to be in the same subnet (172.124.163.158 in this example). Test the Result Check the Interface Statistics, you can see br1 Status is up, Tx B/s displays the transmission speed and Rx B/s displays the reception speed.
Page 673: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you cannot configure a particular bridge IP address, please check is this IP address already created on other Ethernet interface. 673/749...
Page 674: How To Allow Public Access To A Server Behind Zywall/Usg
www.zyxel.com How to Allow Public Access to a Server Behind ZyWALL/USG This is an example of using ZyWALL/USG to configure a securely access to internal server behind ZyWALL/USG with network address translation (NAT). The Internet users can reach this server directly by its public IP address and a NAT mapping rule will forward the traffic from the Internet to the Intranet.
Page 675: Set Up The Nat On The Zywall/Usg
www.zyxel.com Set Up the NAT on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > NAT > add NAT, select Enable Rule. Select 1:1 NAT. Set Incoming Interface to be the wan1 interface. Type User-Defined Original IP (172.251.31.90 in this example) and type User-Defined Mapped IP (192.168.1.34 in this example).
Page 676: Test The Result
www.zyxel.com Test the Result Type http://172.251.31.90/ into the browser, it displays the HTTP service page. 676/749...
Page 677: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If you cannot access your server via public IP address, please make sure all your public IP addresses are routing properly. To do one by one assign them to the ZyWALL’s WAN port. Test to make sure you have internet access with the public IP address.
Page 678: How To Set Up A Wifi Network With Zyxel Aps
www.zyxel.com How to Set Up a WiFi Network with ZyXEL APs This is an example of using ZyWALL/USG to manage the Access Points (APs) and allow wireless access to the network. ZyWALL/USG as AP Controller Example Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
Page 679: Set Up The Ap Management On The Zywall/Usg
www.zyxel.com Set Up the AP Management on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Wireless > Controller > Configuration, set Registration Type to Manual. This is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue APs. CONFIGURATION >...
Page 680 www.zyxel.com Go to CONFIGURATION > Object > AP Profile > SSID > Security List to select the Security Mode to be the wpa2. Then, set a Pre-Shared Key (8-63 characters) and select the Cipher Type to be the auto to have ZyWALL/USG automatically chooses the best available cipher based on the cipher currently in use by the wireless network.
Page 681: Test The Result
www.zyxel.com Test the Result Go to the ZyWALL/USG Monitor > Wireless > AP Information > AP List, you can check the list of APs which are currently connected to it and the details information such as Registration type, Model and Recent On-line Time /Last Off-line Time.
Page 682 www.zyxel.com number it can support. You can check the maximum support number of each ZyWALL/USG in the Datasheet from ZyXEL Download Library - http://www.zyxel.com/support/download_landing.shtml If your mobile device can’t find the AP SSID you configured, please go to CONFIGURATION > Object > AP Profile > SSID > SSID List and check if the Hidden SSID option is enabled.
Page 683: How To Set Up Guest Wifi Network Accounts
www.zyxel.com How to Set Up Guest WiFi Network Accounts This is an example of using ZyWALL/USG to configure guest WiFi accounts to allow limited wireless access to the Internet using only HTTP, HTTPS, and DNS protocols. For the wireless network setup, please see the tutorial about How to Set Up WiFi with ZyXEL AP.
Page 684: Set Up The Wifi Guest Account, Address Range And Service Rule On The Zywall/Usg
www.zyxel.com Set Up the WiFi Guest Account, Address Range and Service Rule on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > User > Add A User to configure the User Name the guest Wi-Fi user and set User Type to guest. Set a secured Password (4-31 characters) and enter it again for confirmation.
Page 685 www.zyxel.com CONFIGURATION > Object > Address > Add Address Rule In the ZyWALL/USG, go to CONFIGURATION > Object > Service > Service Group > Add Service Group Rule to create the allowed protocols for guest Wi-Fi user. Configure the Name for you to identify the Service Group. Set HTTP, HTTPS and DNS to be in the same member group and click OK.
Page 686: Set Up The Web Authentication On The Zywall/Usg
www.zyxel.com Set Up the Web Authentication on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Web Authentication > Web Authentication Policy Summary > Auth. Policy Add to configure policy to redirect HTTP traffic to the user login screen. Configure the Description (Optional) for you to identify the auth.
Page 687: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy > Add corresponding. Configure a Name for you to identify the Security Policy profile. Set From: LAN and To: any (Excluding ZyWALL). Set Service to be the Service Group Rule (wifi_guest_access in this example).
Page 688: Test The Result
www.zyxel.com Test the Result Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen. Type the Wi-Fi guest User Name and Password, click Login. 688/749...
Page 689 www.zyxel.com The access session page will appear. 689/749...
Page 690: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list shown as below. Monitor > System Status > Login Users Attempt to access FTP server (prohibited service in this example) and it gets an error message.
Page 691 www.zyxel.com matches a policy that comes earlier in the list, it may be unexpectedly blocked. Please change your policy setting or move the Wi-Fi guest policy to the higher priority. Monitor > Log Note: The default setting of Security Policy is without log notification (except PolicyDefault), if you want to check which policy may potentially block the traffic, please select this policy and set the Log matched traffic to be log or log alert.
Page 692: How To Create A Wi-Fi Vlan Interfaces To Separate Staff Network And Guest Network
www.zyxel.com How to create a Wi-Fi VLAN interfaces to separate staff network and Guest network This example shows how to create Wi-Fi VLAN interfaces to separate staff network and Guest network. Suppose there should be no limitation for the staff network, but restrict the guests not access the USG.
Page 693: Set Up Wi-Fi Vlan Interfaces
www.zyxel.com Set up Wi-Fi VLAN interfaces Create VLAN interfaces Go to CONFIGURATION > Object > Zone. Create a zone for the guest. CONFIGURATION > Object > Zone Go to CONFIGURATION > Network > Interface > VLAN. Create VLAN16 for Staff_WiFi and VLAN17 for Guest_WiF CONFIGURATION >...
Page 694 www.zyxel.com CONFIGURATION > Network > Interface > VLAN > VLAN17 There will be two VLAN interfaces. CONFIGURATION > Network > Interface > VLAN 694/749...
Page 695 www.zyxel.com Set Up the User Go to Configuration > Object > User/Group > User, and create users for the staff and the guest Configuration > Object > User/Group > User > staff Configuration > Object > User/Group > User > guest 695/749...
Page 696 www.zyxel.com There will be two users. Set Up the AP Profile Go to CONFIGURATION > Object > AP Profile > SSID > Security List, and create two security profiles. CONFIGURATION > Object > AP Profile > SSID > Security List > Guest_WPA2 696/749...
Page 697 www.zyxel.com CONFIGURATION > Object > AP Profile > SSID > Security List > Staff_WPA2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and create two SSID profiles. CONFIGURATION > Object > AP Profile > SSID > SSID List > Staff_Wifi CONFIGURATION >...
Page 698 www.zyxel.com Go to CONFIGURATION > Wireless > AP Management > AP Group, and add an AP Group as WiFi. CONFIGURATION > Wireless > AP Management > AP Group Go to CONFIGURATION > Wireless > AP Management > Mgnt. AP List, and Edit the AP List.
Page 699 www.zyxel.com CONFIGURATION > Wireless > AP Management > Mgnt. AP List, Set Up the Security policy rule Go to CONFIGURATION > Security Policy > Policy Control > Policy. Add one rule to restrict Guest access USG, and another one to allow to access internet. CONFIGURATION >...
Page 700: Test Result
www.zyxel.com CONFIGURATION > Security Policy > Policy Control > Policy > Guest_Internet Test result Connect to the SSID Staff_WiFi, and ping the USG interface. 700/749...
Page 701: What Could Go Wrong
www.zyxel.com Connect to the SSID Guest_WiFi, and ping the USG interface What could go wrong Choose the wrong zone for the Guest VLAN interface. 701/749...
Page 702 www.zyxel.com Not change the AP to the correct group Not create the correct rule to block the Guest to access USG 702/749...
Page 703: How To Set Up Wifi Networks With Microsoft Active Directory Authentication
www.zyxel.com How to Set Up WiFi Networks with Microsoft Active Directory Authentication This is an example of using ZyWALL/USG to configure guest WiFi accounts with Microsoft Active Directory (AD) to authenticate your WiFi guests. For the wireless network setup, please go to How to Set Up WiFi with ZyXEL AP. ZyWALL/USG with AD Guest WiFi Accounts Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 704: Set Up The Wi-Fi Guest Account And Authentication Method On The Zywall/Usg
www.zyxel.com Set Up the Wi-Fi Guest Account and Authentication Method on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > User/Group > User > ad-users, set the Authentication Timeout Settings to Use Manual Settings and enter the number of minutes this user has to renew the current session before the user is logged out.
Page 705: Set Up The Active Directory Server Account On The Zywall/Usg
www.zyxel.com CONFIGURATION > Web Authentication > General Settings Set Up the Active Directory Server Account on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Object > AAA Server > Active Directory > Add Active Directory to configure the AD sever. Enter the Server Address (192.168.1.33 in this example) and Based DN (dc=cso,dc=net in this example).
Page 706: Set Up The Security Policy On The Zywall/Usg
www.zyxel.com CONFIGURATION > Object > AAA Server > Active Directory > Add Active Directory Set Up the Security Policy on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy > Add corresponding. Configure a Name for you to identify the Security Policy profile. Set From: LAN and To: any (Excluding ZyWALL).
Page 707: Test The Result
www.zyxel.com Test the Result Using a mobile device to connect to the AP which is connected to the ZyWALL/USG. When you try to access the Internet, it will redirect to the user login screen. 707/749...
Page 708 www.zyxel.com Type the Wi-Fi guest User Name and Password, click Login. The access session page will appear. 708/749...
Page 709: What Could Go Wrong
www.zyxel.com Go to the ZyWALL/USG Monitor > System Status > Login Users, you will see current login user list as below. Monitor > System Status > Login Users What Could Go Wrong? If you see [notice] log shown as below, the Wi-Fi guest traffic is blocked by the priority 1 Security Policy.
Page 710: How To Set Up Ipv6 Interfaces For Pure Ipv6 Routing
www.zyxel.com How to Set Up IPv6 Interfaces for Pure IPv6 Routing This example shows how to configure your ZyWALL/USG WAN and LAN interfaces which connects two IPv6 networks. ZyWALL/USG periodically advertises a network prefix of 2002:1111:1111:1111::/64 to the LAN through router advertisements. ZyWALL/USG with Pure IPv6 Network Example Note: All network IP addresses and subnet masks are used as examples in this article.
Page 711: Enable The Ipv6 On The Zywall/Usg
www.zyxel.com Enable the IPv6 on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > System > IPv6 > Global Setting, select the Enable IPv6 and click Apply at the bottom of the screen. CONFIGURATION > System > IPv6 > Global Setting Set Up the WAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION >...
Page 712: Set Up The Lan Ipv6 Interface On The Zywall/Usg
www.zyxel.com CONFIGURATION > Network > Interface > Ethernet > wan1 Note: Your ISP or uplink router should enable router advertisement. Set Up the LAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > lan1. Select Enable Interface and Enable IPv6.
Page 713 www.zyxel.com CONFIGURATION > Network > Interface > Ethernet > lan1 > General Settings CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting 713/749...
Page 714: Test The Result
www.zyxel.com Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen Your computer should get an IPv6 IP address (starting with 2002:1111:1111:1111: for this example) from the ZyWALL/USG.
Page 715: What Could Go Wrong
www.zyxel.com What Could Go Wrong? If your IPv6 connection is not working, please make sure you enable Auto-Configuration on the WAN1 IPv6 interface. If not, you will not have any default route to forward the LAN’s IPv6 packets. In Windows, some IPv6 related tunnels may be enabled by default such as Teredo and 6to4 tunnels.
Page 716: How To Set Up An Ipv6 6To4 Tunnel
www.zyxel.com How to Set Up an IPv6 6to4 Tunnel This example shows how to configure your ZyWALL/USG to create IPv6 6to4 Tunnel. In this example, the ZyWALL/USG acts as a 6to4 router which connects the IPv4. After configuration, the ZyWALL/USG can assign an IPv6 to clients behind it and pass IPv6 traffic through IPv4 environment to access remote IPv6 network.
Page 717: Set Up The Lan Ipv6 Interface On The Zywall/Usg
www.zyxel.com Set Up the LAN IPv6 Interface on the ZyWALL/USG The second and third sets of 16-bit IP address from the left must be converted from wan1 IP (122.100.220.238 in this example). It becomes 7a64:dcee in hexadecimal. (You can go to https://isc.sans.edu/tools/ipv6.html#form to convert an IPv4 address into it's default 6-to-4 equivalent).
Page 718: Set Up The 6To4 Tunnel On The Zywall/Usg
www.zyxel.com CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting Set Up the 6to4 Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Tunnel > Add, Select Enable. Enter tunnel0 as the Interface Name and select 6to4 as the Tunnel Mode.
Page 719: Test The Result
www.zyxel.com CONFIGURATION > Network > Interface > Tunnel Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default.
Page 720: What Could Go Wrong
www.zyxel.com Type ping -6 ipv6.google.com in a Command Prompt to test. You should get a response. Window 7 > cmd > ping -6 ipv6.google.com What Could Go Wrong? If your IPv6 connection is not working, please make sure you disable Auto-Configuration on the LAN1 IPv6 interface.
Page 721: How To Set Up An Ipv6-In-Ipv4 Tunnel
www.zyxel.com How to Set Up an IPv6-in-IPv4 Tunnel This example shows how to configure your ZyWALL/USG to create IPv6-in-IPv4 Tunnel. In this example, the ZyWALL/USG acts as IPv6-in-IPv4 routers which connect the IPv4 Internet and an individual IPv6 network. This configuration example only shows the settings on ZyWALL/USG_Z.
Page 722: Set Up The Lan Ipv6 Interface On The Zywall/Usg
www.zyxel.com Set Up the LAN IPv6 Interface on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Ethernet > lan1. Select Enable Interface and Enable IPv6. Type 2002:7a64:dcee:1::111/128 in the IPv6 Address/Prefix Length field for the LAN1’s IP address. Enable Router Advertisement.
Page 723: Set Up The 6To4 Tunnel On The Zywall/Usg
www.zyxel.com CONFIGURATION > Network > Interface > Ethernet > lan1 > IPv6 Router Advertisement Setting Set Up the 6to4 Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Interface > Tunnel > Add and select Enable. Enter tunnel0 as the Interface Name and select IPv6-in-IPv4 as the Tunnel Mode.
Page 724: Set Up The Policy Route On The Zywall/Usg
www.zyxel.com CONFIGURATION > Network > Interface > Tunnel Set Up the Policy Route on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Network > Routing > IPv6 Configuration > Add, click Create New Object to create an IPv6 address object with the address prefix of 2002:7a64:dcee:1::/64.
Page 725: Test The Result
www.zyxel.com CONFIGURATION > Network > Routing > Policy Route > IPv6 Configuration Test the Result Connect a computer to the ZyWALL/USG’s LAN1. Enable IPv6 support on your computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default.
Page 726: What Could Go Wrong
www.zyxel.com Use the ping -6 [IPv6 IP address] command in a Command Prompt to test whether you can ping a computer behind ZyWALL/USG_Y. You should get a response. Window 7 > cmd > ping -6 2001:b020:0:71::46 What Could Go Wrong? If your IPv6 connection is not working, please make sure you enable the WAN1 IPv4 interface.
Page 727: How To Update Firmware Automatically From A Usb Storage
www.zyxel.com How to Update Firmware Automatically from a USB Storage This example illustrates how to update the ZyWALL/USG’s firmware automatically from a USB storage. With this feature, it is more efficient for users to upgrade the firmware for numerous devices without Internet or GUI access. The user can also downgrade the firmware by using this feature.
Page 728: Enable The Usb Firmware Upgrade Function By Cli Command
www.zyxel.com Enable the USB Firmware Upgrade Function by CLI Command For security concerns, the function is disabled by default. The administrator needs to enable the function by the following CLI command: Router(config)# usb-storage update-firmware enable Save the Firmware on the USB There are two ways to create the firmware folder on the USB storage.
Page 729: Plug The Usb Into The Device
www.zyxel.com diagnostic_info firmware packet_trace Firmware Folder is Created Automatically Plug the USB into the Device Once the .bin file in the firmware folder is detected, the device will copy it to the RAM. Plug the USB storage into the USB port The following message shows on the console if the device fails to copy the .bin file.
Page 730: Check Firmware Status
www.zyxel.com The device checks the USB firmware with the running partition only. It does not check the standby partition. Check model ID: If incompatible, the device deletes the firmware in the RAM. If compatible, the device checks the firmware version. Check firmware version: If it is the same as the running firmware, the device deletes the firmware in the RAM.
Page 731: What Can Go Wrong
www.zyxel.com Check the Firmware Version on the Dashboard MONITOR > Log > View log What Can Go Wrong? The USB storage must use the FAT16, FAT32, EXT2, or EXT3 file system. Otherwise, it may not be detected by the ZyWALL/USG. The device only checks the firmware under the specific folder.
Page 732 www.zyxel.com Multiple firmware files of one model in the same folder is not supported. Make sure the product model ID of the USB firmware is compatible with the device. The device writes logs on the console and device log if the firmware model ID is incompatible.
Page 733 www.zyxel.com Make sure the version of the USB firmware is different from that of the running partition. The device writes logs on the console and device log if the firmware version is the same as the running firmware. Console Message MONITOR >...
Page 734: How To Configure Dhcp Option 60 - Vendor Class Identifier
www.zyxel.com How to Configure DHCP Option 60 – Vendor Class Identifier The following figure depicts how the ZyWALL/USG uses DHCP option 60. By matching the VCI strings, a DHCP client can choose one specific DHCP server on the WAN network. This function is useful when there are several DHCP servers providing different services in an environment.
Page 735 www.zyxel.com In the ZyWALL/USG’s navigation panel, go to Configuration > Network > Interface. Click the Ethernet tab, go to WAN > Edit. Enter the VCI string in the Advance section of DHCP Option 60. 735/749...
Page 736: Setting Up Dhcp Option 60 On The Cli
www.zyxel.com Setting Up DHCP Option 60 on the CLI Under the specific interface path, use these commands to: Enable option 60 Router(config-if-wan1)# ip address dhcp option-60 {VCI_STRING} Disable option 60 Router(config-if-wan1)# no ip address dhcp option-60 Test DHCP Option 60 To test the DHCP option 60 function, use a packet capture software to check if option 60 string exists in the DHCP discover message sent from the ZyWALL/USG WAN port.
Page 737: What Can Go Wrong
www.zyxel.com What Can Go Wrong? Avoid using the same option 60 string on two or more DHCP servers. It may cause duplicate DHCP serving confliction. Since packets with option 60 are clear, do not consider it as a secure way for DHCP server authentication.
Page 738: How To Configure Device Ha Pro
www.zyxel.com How to Configure Device HA Pro The Device HA feature acts as a failover when one of the devices in the network is dead or can’t access the Internet. Therefore, this is a popular feature for network environments. previous firmware version, supports...
Page 739: Device Ha Pro License
www.zyxel.com Device HA Pro License The Device HA Pro feature is license required. You must register both of your devices on the myZyXEL.com server first. Then make sure the Device HA Pro license is available on both of your devices. 739/749...
Page 740: Behavior Of The Device Ha Pro
www.zyxel.com Behavior of the Device HA Pro The behavior of the Device HA Pro includes a heartbeat link to monitor the “activate” device’s interface status. If one of the monitored interfaces is dead or fails, the “passive” device’s status will become “activate”. (This means only 1 device’s status can be “activate”...
Page 741 www.zyxel.com 741/749...
Page 742: Suggestions
www.zyxel.com The Main Function of the Device HA Pro Heartbeat Link The heartbeat port is a new physical port on the device. After you have enabled Device HA Pro, the devices will transmit multicast packets (UDP 694) to check each device’s status. When the passive device is working properly, the system LED light will be on.
Page 743: How Do I Configure Device Ha Pro In My Current Environment
www.zyxel.com How do I Configure Device HA Pro in My Current Environment? License The Device HA Pro feature is license required. Please go to register both of your devices on myZyXEL.com and make sure the devices have the license after syncing with the myZyXEL.com server.
Page 744 www.zyxel.com Configurations on the Primary Device 1. Go to the Configuration > Device HA > Device HA Pro screen. 2. Enter the device’s license serial number from the myZyXEL.com server. 3. Enter the management IP address after enabling the Device HA Pro feature. 4.
Page 745 www.zyxel.com Go to the Configuration > Device HA > General screen. Select Enable Device HA and click Apply to enable Device HA Pro. 745/749...
Page 746 www.zyxel.com 746/749...
Page 747 www.zyxel.com Configurations on the Secondary Device Go to the Configuration > Device HA > Device-HA Pro screen. Select Enable Configuration Provisioning from Active Device. Click Apply. 747/749...
Page 748 www.zyxel.com Go to the Configuration > Device HA > General screen. Select Enable Device HA and click Apply. Before the Device HA Pro feature is enabled on the secondary device, a warning message will pop-up for you to confirm. Click OK to enable it. Connecting the Device HA Pro Port The Device HA Pro port is a new physical port on the DUT.
Page 749: What Can Go Wrong
www.zyxel.com What can go wrong? Why I can’t see correct license status from myzyxel.com server? On the Device-HA Pro setting, there is a function “Serial number of the licensed device for license synchronization”. You should entering device’s S/N which with licenses.

This manual is also suitable for:

Zywall 310 Zywall 1100 Usg60 Usg60w Usg110 Usg210 ... Show all

ZyXEL Communications ZyWALL 110 Handbook

How to Configure Site-To-Site Ipsec VPN with Amazon VPC

How to Configure Site-To-Site Ipsec VPN with Microsoft (MS) Azure

How to Configure GRE over Ipsec VPN Tunnel

How to Configure Site-To-Site Ipsec VPN Where the Peer Has a Static IP Address

How to Configure Site-To-Site Ipsec VPN Where the Peer Has a Dynamic IP Address

How to Configure Ipsec Site to Site VPN While One Site Is Behind a NAT Router

How to Configure Hub-And-Spoke Ipsec VPN

How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN Concentrator

How to Configure Ipsec VPN with Zywall Ipsec VPN Client

How to Configure Site-To-Site Ipsec VPN with Fortigate

How to Configure Site-To-Site Ipsec VPN with Watchguard

How to Configure Site-To-Site Ipsec VPN with Cisco

How to Configure Site-To-Site Ipsec VPN with a Sonicwall Router

How to Configure Ipsec VPN Failover

How to Configure L2TP over Ipsec VPN While the Zywall/Usg Is Behind a NAT Router

How to Configure L2TP VPN with Android 5.0 Mobile Devices

How to Configure L2TP VPN with Ios 8.4 Mobile Devices

How to Import Zywall/Usg Certificate for L2TP over Ipsec in Windows 10

How to Import Zywall/Usg Certificate for L2TP over Ipsec in IOS Mobile Phone

How to Import Zywall/Usg Certificate for L2TP over Ipsec in Android Mobile Phone

How to Configure the L2TP VPN with Apple MAC os X 10.11 Operating System

How to Configure if I Want User Can Only See SSL VPN Login Button in Web Portal Login Page

How to Deploy SSL VPN with Windows 10 Operating System

How to Deploy SSL VPN with Apple Mac os X 10.10 Operating System

How to Configure SSL VPN for Remote Access Mobile Devices

How to Configure an SSL VPN Tunnel (with Secuextender Version 4.0.0.1) on the Windows 10 Operating System

How to Redirect Multiple LAN Interface Traffic to the VPN Tunnel

How to Create VTI and Configure VPN Failover with VTI

How to Configure the USG When Using a Cloud Based SIP System

How to Block HTTPS Websites by Domain Filter Without Applying SSL Inspection

How to Configure Content Filter 2.0 with Geo IP Blocking

How to Configure Content Filter 2.0 with Https Domain Filter

How to Block the Client Accessing to Certain Country Using Geo IP and Content Filter

How to Set up Link Aggregation Group (LAG)

How to Restrict Web Portal Access from the Internet

How to Setup and Configure Daily Report

How to Setup and Configure Email Logs

How to Setup and Send Logs to a Syslog Server

How to Setup and Send Logs to a Vantage Reports Server

How to Setup and Send Logs to the USB Storage

How to Activate a Free Access Hotspot

How to Setup Ipv6 Interfaces for Pure Ipv6 Routing

How to Perform and Use the Packet Capture Feature on the Zywall/Usg

How to Automatically Reboot the Zywall/Usg by Schedule

How to Schedule Youtube Access

How to Continuously Run a Zysh Script

How to Register Your Device and Services at Myzyxel.com

How to Exempt Specific Users from Security Control

How to Detect and Prevent TCP Port Scanning with ADP

How to Block Facebook

How to Exempt Specific Users from a Blocked Website

How to Control Access to Google Drive

How to Block HTTPS Websites Using Content Filtering and SSL Inspection

How to Block the Spotify Music Streaming Service

How to Test the EICAR Anti-Virus Test File

Quick Links

Related Manuals for ZyXEL Communications ZyWALL 110

Summary of Contents for ZyXEL Communications ZyWALL 110