ZyXEL Communications ZyWALL Troubleshooting Manual
Vpn
Hide thumbs
Also See for ZyWALL:
- Reference manual (386 pages) ,
- Support note (44 pages) ,
- Quick start manual (2 pages)
Advertisement
Quick Links
www.zyxel.com
ZyWALL (ZLD) VPN Troubleshooting
L2TP VPN will not connect
No traffic flow through L2TP VPN tunnel
Client-to-Site (RoadWarrior) VPN will not connect
No traffic flow through client-to-site IPSec VPN tunnel (RoadWarrior)
Site-to-Site VPN will not establish
No traffic flow through site-to-site IPSec VPN tunnel
SSL VPN connection will not establish
Connection issues with SSL VPN
L2TP VPN will not connect
Please verify your VPN rule setup with the example provided on the
"ZyWALL_L2TP_VPN_Setup.pdf" walkthrough. If your setup is similar to
the example provided please check the following:
Is the ZyWALL behind a NAT (another router)? The L2TP function
will not work if the ZyWALL is behind another router. This is a
limitation on the devices L2TP capability, the ZyWALL needs direct
communication with the public network (internet).
If the L2TP client is behind a router please make sure that VPN
pass-through is enabled or create port forwarding rules so it does
not block the L2TP communication to the ZyWALL.
1/26
Advertisement
Related Manuals for ZyXEL Communications ZyWALL
Summary of Contents for ZyXEL Communications ZyWALL
- Page 1 Is the ZyWALL behind a NAT (another router)? The L2TP function will not work if the ZyWALL is behind another router. This is a limitation on the devices L2TP capability, the ZyWALL needs direct communication with the public network (internet).
- Page 2 www.zyxel.com Does the client have any other VPN clients installed? Only one application can use the IKE/IPSec services at a time, if there is another VPN client installed on the computer (and running) such as Cisco IPSec client, TheGreenBow, ShrewSoft, etc., you will need to close the application completely and restart the IKE/IPSec services so that the L2TP client can use them.
- Page 3 www.zyxel.com Scroll down the list to find the ‘IKE and AuthIP IPsec Keying Modules’ and ‘IPsec Policy Agent’ to restart these services. Please check your L2TP clients settings against our setup example(s) [link to Windows, macOS, iOS, etc., setup guides] ...
- Page 4 www.zyxel.com Type “firewall.cpl” and click OK or hit the Enter/Return key. Select the option to “Turn Windows Firewall on or off” on the left. Disable the firewall by selecting the “Turn off Windows Firewall” and click the OK button to save the settings. Note: If you’re using a third party software firewall, Trend Micro, Norton, McAfee, etc., please open the softwares control panel and disable the firewall feature.
- Page 5 Bypass your router (if possible) to make sure it is not blocking the attempt to connect/establish the L2TP VPN. Check the ZyWALL’s IKE logs to make sure it is receiving a request to establish the VPN. By default the ZyWALL is programmed to allow VPN traffic, if the IKE logs on the ZyWALL do not show any IKE connection attempts try disabling the ZyWALL’s Firewall/Policy...
- Page 6 Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 6/26...
- Page 7 IP scheme and the L2TP IP pool should be on different subnets, using the same IP scheme can cause routing issues. Create a policy route on the ZyWALL to specify that any traffic destined for the L2TP IP Pool needs to take a hop (Next-Hop) at the L2TP VPN tunnel.
- Page 8 www.zyxel.com Configuration Firewall OR Configuration Security Policy Policy Control Make sure the L2TP connection has a higher priority than any other route on your computer. On macOS you need to change the service order to give the VPN connection a higher priority than the Ethernet or Wi-Fi connections.
- Page 9 Verify that the device you are trying to contact across the VPN is pointing to the ZyWALL for its default gateway. If the device is pointing to a different default gateway the traffic will not get sent back through the L2TP VPN tunnel.
- Page 10 ZyWALL, to make sure all necessary settings and rules have been created on the router. If the ZyWALL is behind a NAT (another router) make sure the first NAT is forwarding the VPN ports to the ZyWALL. IKE UDP:500 and NAT-T UDP:4500 ...
- Page 11 Check the VPN settings on the ZyWALL and make sure they match the software client configuration. Check the ZyWALL’s IKE logs to make sure it is receiving a request to establish the VPN. By default the ZyWALL is programmed to allow VPN traffic, if the IKE logs on the ZyWALL do not show any IKE connection attempts try disabling the ZyWALL’s Firewall/Policy...
- Page 12 If you have successfully established a VPN connection to the ZyWALL but cannot get traffic across, please try the following: Login to the ZyWALL’s WebGUI and disable the “Use Policy Route to control dynamic IPSec rules” in the VPN menu. Configuration ...
- Page 13 www.zyxel.com Type “firewall.cpl” and click OK or hit the Enter/Return key. Select the option to “Turn Windows Firewall on or off” on the left. Disable the firewall by selecting the “Turn off Windows Firewall” and click the OK button to save the settings. Note: If you’re using a third party software firewall, Trend Micro, Norton, McAfee, etc., please open the softwares control panel and disable the firewall feature.
- Page 14 IP’s will work. A work around for this limitation of the IPSec standard would be to use a WINS server. Make sure there are no IP conflicts, if the ZyWALL network is configured to use the 192.168.1.0/24 network and the remote user is also using the same IP scheme, traffic will not route through the VPN tunnel properly.
- Page 15 Verify that the device you are trying to contact is pointing to the ZyWALL for its default gateway. If the device is pointing to a different default gateway the traffic will not get sent back through the VPN tunnel.
- Page 16 Reboot/Restart the ZyWALL appliance to reload the VPN daemon. Check the ZyWALL logs to verify that IKE connection attempts are being sent and received. If the logs show one way IKE traffic, send only for example, check the internet connection to make sure traffic is not being blocked/stopped on the service end.
- Page 17 ISP provided or public (OpenDNS, Google DNS, etc.) DNS servers. Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 17/26...
- Page 18 Tunnel established but can’t get traffic across: Make sure there are no IP conflicts between the two sites. Disable the ZyWALL routers firewall. To disable the ZyWALL’s firewall/policy control, go to: Configuration Firewall OR Configuration Security Policy ...
- Page 19 www.zyxel.com macOS: Open terminal and type sudo lsof -i -n -P for a printout of the listening ports. Manually create a route (Configuration Routing) to stipulate that traffic destined for the remote network should take its Next-Hop on the appropriate VPN tunnel. 19/26...
- Page 20 Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 20/26...
- Page 21 SSL VPN rule/policy. Administrative users will automatically get redirected to the configuration GUI. To verify the user account type, login to the ZyWALL’s WebGUI and go to Configuration Object User/Group. Make sure the network connection is not “Disabled” on Windows.
- Page 22 Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 22/26...
- Page 23 VPN tunnel has a higher priority/metric that the regular route. Disable the ZyWALL’s firewall if you are having problems getting traffic through the tunnel. To disable the ZyWALL’s firewall/policy control, go to: Configuration ...
- Page 24 www.zyxel.com Type “firewall.cpl” and click OK or hit the Enter/Return key. Select the option to “Turn Windows Firewall on or off” on the left. Disable the firewall by selecting the “Turn off Windows Firewall” and click the OK button to save the settings. Note: If you’re using a third party software firewall, Trend Micro, Norton, McAfee, etc., please open the softwares control panel and disable the firewall feature.
- Page 25 www.zyxel.com Verify that the workstation is listening to the traffic you are using to access it remotely. Windows: Open command prompt or powershell and type netstat -an for a list of listening ports. macOS: Open terminal and type sudo lsof -i -n -P for a printout of the listening ports.
- Page 26 Verify the firmware is up to date and contact tech support for further assistance. To check the current version of firmware on the ZyWALL go to Maintenance File Manager Firmware Package 26/26...