ZyXEL Communications ISG50-ISDN User Manual page 770

Chapter 61 Troubleshooting
• The ISG50's local and peer ID type and content must match the remote IPSec router's peer and
local ID type and content, respectively.
• The ISG50 and remote IPSec router must use the same active protocol.
• The ISG50 and remote IPSec router must use the same encapsulation.
• The ISG50 and remote IPSec router must use the same SPI.
• If the sites are/were previously connected using a leased line or ISDN router, physically
disconnect these devices from the network before testing your new VPN connection. The old
route may have been learnt by RIP and would take priority over the new VPN connection.
• To test whether or not a tunnel is working, ping from a computer at one site to a computer at the
other.
Before doing so, ensure that both computers have Internet access (via the IPSec routers).
• It is also helpful to have a way to look at the packets that are being sent and received by the
ISG50 and remote IPSec router (for example, by using a packet sniffer).
Check the configuration for the following ISG50 features.
• The ISG50 does not put IPSec SAs in the routing table. You must create a policy route for each
VPN tunnel. See
• Make sure the To-ISG50 firewall rules allow IPSec VPN traffic to the ISG50. IKE uses UDP port
500, AH uses IP protocol 51, and ESP uses IP protocol 50.
• The ISG50 supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make
sure the To-ISG50 firewall rules allow UDP port 4500 too.
• Make sure regular firewall rules allow traffic between the VPN tunnel and the rest of the network.
Regular firewall rules check packets the ISG50 sends before the ISG50 encrypts them and check
packets the ISG50 receives after the ISG50 decrypts them. This depends on the zone to which
you assign the VPN tunnel and the zone from which and to which traffic may be routed.
• If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP
(whichever you are using).
• If you have the ISG50 and remote IPSec router use certificates to authenticate each other, You
must set up the certificates for the ISG50 and remote IPSec router first and make sure they trust
each other's certificates. If the ISG50's certificate is self-signed, import it into the remote IPsec
router. If it is signed by a CA, make sure the remote IPsec router trusts that CA. The ISG50 uses
one of its Trusted Certificates to authenticate the remote IPSec router's certificate. The trusted
certificate can be the remote IPSec router's self-signed certificate or that of a trusted CA that
signed the remote IPSec router's certificate.
• Multiple SAs connecting through a secure gateway must have the same negotiation mode.
The VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel.
If you have the Configuration > VPN > IPSec VPN > VPN Connection screen's Use Policy
Route to control dynamic IPSec rules option enabled, check the routing policies to see if they
are sending traffic elsewhere instead of through the VPN tunnels.
I changed the LAN IP address and can no longer access the Internet.
770
Chapter 14 on page 289.
ISG50 User's Guide