What Can Go Wrong; How To Configure Site-To-Site Ipsec Vpn Where The Peer Has A Dynamic Ip Address - ZyXEL Communications ZyWALL 110 Handbook
Zywall/usg series security firewalls
Hide thumbs
Also See for ZyWALL 110:
- User manual (1090 pages) ,
- Handbook (749 pages) ,
- Handbook & instructions (255 pages)
Table of Contents
Advertisement
4.1.4 What Can Go Wrong?
If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both
1
ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption,
Authentication method, DH key group and ID Type to establish the IKE SA.
Figure 235 MONITOR > Log
If you see that Phase 1 IKE SA process done but still get below [info] log message, please check
2
ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same
Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
Figure 236 MONITOR > Log
Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN
3
traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must
4
also have NAT traversal enabled.
4.2 How to Configure Site-to-site IPSec VPN Where the
Peer has a Dynamic IP Address
This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with the Peer has
a Dynamic IP Address. The example instructs how to configure the VPN tunnel between each site.
When the VPN tunnel is configured, each site can be accessed securely.
Figure 237 ZyWALL Site-to-site IPSec VPN with a Dynamic IP Address Peer
Chapter 4 Create Site-to-Site VPN Tunnels
ZyWALL/USG Series User's Guide
110
Advertisement
Table of Contents
