www.zyxel.com Table of Content How to Configure Site-to-site IPSec VPN with Amazon VPC ....8 Set Up the IPSec VPN Tunnel on the Amazon VPC ......9 Set Up the IPSec VPN Tunnel on the ZyWALL/USG ......13 Test the IPSec VPN Tunnel ............... 17 What Could Go Wrong? ................
Page 3
www.zyxel.com Test the SSL VPN ..................60 How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1) on the Windows 10 Operating System ............64 Set up the SSL VPN Tunnel with Windows 10 ........64 What Can Go Wrong? ................68 How to redirect multiple LAN interface traffic to the VPN tunnel ...
Page 4
www.zyxel.com Mobile Phone ..................120 Set Up the L2TP VPN Tunnel on the Android Mobile Device ... 121 Test the L2TP over IPSec VPN Tunnel ..........124 What Could Go Wrong? ..............126 How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile phone ......................
Page 5
www.zyxel.com How to set up Link Aggregation Group (LAG) ........160 Set up the Active-backup, 802.3ad, Balance-alb ......160 Set up the active-backup mode............164 Test the Result ..................166 What can go wrong ................166 How to Restrict Web Portal access from the Internet ......167 Set Up the ZyWALL/USG System Setting ..........
Page 6
www.zyxel.com Set up Wi-Fi VLAN interfaces ............... 195 Test result....................202 What could go wrong ................203 How to Activate a Free Access Hotspot ..........205 Set up the Free Access Hotspot ............206 Test the User Agreement and Advertisement Webpage ....208 What could Go Wrong? ...............
Page 7
www.zyxel.com Set Up the Schedule Run ..............253 Check the Result ................... 254 7/255...
www.zyxel.com How to Configure Site-to-site IPSec VPN with Amazon VPC This example shows how to use the VPN Setup Wizard to create a site-to-site VPN between a ZyWALL/USG and an Amazon VPC platform. The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the IPSec VPN Tunnel on the Amazon VPC Sign into the Amazon AWS Management Console. Go to Networking > VPC. Figure 2 Amazon AWS Management Console > Networking > VPC In the upper left-hand of the screen, click Start VPC Wizard. Figure 3 Amazon VPC Management Console >...
Page 10
www.zyxel.com Figure 4 Select a VPC Configuration > VPC with a Private Subnet Only and Hardware VPN Access VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and Private subnet. Click Next. Figure 5 VPC with a Private Subnet Only and Hardware VPN 10/255...
Page 11
www.zyxel.com Configure your VPN, add your ZyWALL/USG public IP address into Customer Gateway IP. Name your Customer Gateway name and VPN Connection name. Click Create VPC at the bottom of the blade. Figure 6Configure your VPN In the VPC Dashboard, go to VPN Connections. Select Download Configuration from the upper bar.
Page 12
www.zyxel.com Figure 7 VPC Dashboard > VPN Connections Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s setting. Figure 8 Configuration txt. File 12/255...
www.zyxel.com Set Up the IPSec VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the Amazon VPC. Click Next. Figure 9 Quick Setup >...
Page 14
www.zyxel.com Figure 11 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP address (in the example, 52.39.135.203); select My Address to be the interface connected to the Internet.
Page 15
www.zyxel.com Continue to Phase 2 Settings to select the Encapsulation, Encryption, Authentication, and SA Life Time settings which Amazon VPC supports. Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the Amazon VPC.
Page 16
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard.
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 16 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
www.zyxel.com Figure 17 MONITOR > VPN Monitor > IPSec To test whether or not a tunnel is working, ping from a Local LAN to AWS VPC private Subnet for verification. Ensure that both computers have Internet access. Figure 18 Ping from Local LAN to AWS VPC private Subnet for verification: What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings.
Page 19
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2 setup list. Figure 20 MONITOR >...
www.zyxel.com How to Configure GRE over IPSec VPN Tunnel This example shows how to use the VPN Setup Wizard to create a GRE over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site. When the GRE over IPSec VPN tunnel is configured, each site can be accessed securely.
www.zyxel.com Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 22
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Figure 24 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 111.250.184.80).
Page 23
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 26 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
Page 24
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. Figure 28 CONFIGURATION >...
www.zyxel.com Figure 30 CONFIGURATION > Network > Interface > Tunnel > Add Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 26
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Figure 32 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 27
www.zyxel.com Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ). Figure 34 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel.
Page 28
www.zyxel.com appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Figure 36 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings.
Page 29
www.zyxel.com Figure 38 CONFIGURATION > VPN > IPSec VPN > VPN Connection > Show Advanced Settings > Policy The GRE tunnel runs between the IPsec public interface on the Branch unit and the HQ unit. Go to CONFIGURATION > Network > Interface > Tunnel > Add. Enter the Interface Name (The format is tunnelx, where x is 0 - 3.).
www.zyxel.com Test the GRE over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 40 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
Page 31
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Make sure your ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2 setup list. Figure 43 MONITOR >...
www.zyxel.com How to Configure IPSec Site to Site VPN while one Site is behind a NAT router This example shows how to use the VPN Setup Wizard to create a IPSec Site to Site VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while one Site is behind a NAT router.
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the FortiGate.
Page 34
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Figure 47 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.30.40).
Page 35
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 49 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. Figure 51 CONFIGURATION >...
Page 37
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and use a pre-shared key to be the authentication method. Click Next. Figure 53 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway).
Page 38
www.zyxel.com Configure Secure Gateway IP as the Branch’s WAN IP address (in the example, 172.100.20.30). Then, type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG (HQ) and Remote Policy to be the IP address range of the network connected to the ZyWALL/USG (Branch).
Page 39
www.zyxel.com Figure 56 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router. Figure 58 CONFIGURATION >...
Page 41
www.zyxel.com Go to CONFIGURATION > Security Policy > Policy Control. IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports: IP protocol = 50 → Used by data path (ESP) IP protocol = 51 → Used by data path (AH) UDP Port Number = 500 →...
www.zyxel.com Test the IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 61 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
www.zyxel.com To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices). Figure 63 PC behind ZyWALL/USG (HQ) > Window 7 > cmd > ping 192.168.20.33 Figure 64 PC behind ZyWALL/USG (Branch) >...
Page 44
www.zyxel.com Figure 65 MONITOR > Log If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
www.zyxel.com How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind a NAT router This example shows how to use the VPN Setup Wizard to create a L2TP over IPSec VPN tunnel between ZyWALL/USG devices. The example instructs how to configure the VPN tunnel between each site while the ZyWALL/USG is behind a NAT router.
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices. Click Next. Figure 68 Quick Setup >...
Page 47
www.zyxel.com Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next. Figure 70 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) 8 This screen provides a read-only summary of the VPN tunnel.
Page 48
www.zyxel.com Figure 72 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN Connection > Create new Object > Create Address, create an address object as the NAT router’s WAN IP address (in the example, 172.100.20.30).
Page 49
www.zyxel.com Figure 74 CONFIGURATION > VPN Connection > Policy > Local Policy Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example).
www.zyxel.com Set Up the NAT Router (Using ZyWALL USG device in this example) Go to CONFIGURATION > Network > NAT > Add. Select the Incoming Interface on which packets for the NAT rule must be received. Specified the User-Defined Original IP field and Type the translated destination IP address that this NAT rule supports.
Page 51
www.zyxel.com Figure 77 CONFIGURATION > Object > Address Go to CONFIGURATION > Object > Service > Service Group, create a service group for the following UDP ports: UDP Port Number = 1701 → Used by L2TP UDP Port Number = 500 → Used by IKE UDP Port Number = 4500 →...
www.zyxel.com Figure 79 CONFIGURATION > Security Policy > Policy Control Test the L2TP over IPSec VPN Tunnel Use a smartphone or a PC to establish a L2TP VPN connection to the ZyWALL/USG. Configure the NAT's public IP address as the L2TP server address on the client.
Page 53
www.zyxel.com Set Secret to the Pre-Shared Key of the IPSec VPN gateway the ZyWALL/USG uses for L2TP VPN over IPSec (xyz12345 in this example). Figure 80 After you create a VPN configuration, slide the button right to the on position to initiate L2TP VPN session.
Page 54
www.zyxel.com Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected. Figure 82 CONFIGURATION > VPN > IPSec VPN > VPN Connection Go to ZyWALL/USG MONITOR >...
www.zyxel.com Figure 83 Menu > Settings > VPN > ZyXEL_L2TP What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. iOS Mobile users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. Figure 84 55/255...
Page 56
www.zyxel.com If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. iOS Mobile users must use the same Secret as configured in ZyWALL/USG to establish the IKE SA. Figure 85 If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings.
www.zyxel.com How to configure if I want user can only see SSL VPN Login button in web portal login page This example shows how to strict portal access for SSL VPN clients. The example instructs how to allow end users to only see the SSL VPN Login button in the web portal login screen and the administrator can only manage the device from LAN.
www.zyxel.com Set Up the DNS Service In this scenario, you need to have a DNS host to fulfill the requirement. In this example, go to https://www.noip.com/ to register an account and create a DNS host. The following mapping IP address is the public IP of the ZyWALL/USG's WAN IP address.
www.zyxel.com Figure 90 CONFIGURATION > Security Policy > Policy Control Set Up the ZyWALL/USG System Setting Go to CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1. Set the address access action as Deny for ALL address in WAN. Figure 91 CONFIGURATION >...
www.zyxel.com Test the SSL VPN Type in the URL (https://sslvpnzyxeltest.ddns.net) and you will only see the SSL VPN Login button in the web portal screen. Figure 92 Type in the URL (https://sslvpnzyxeltest.ddns.net) 60/255...
Page 61
www.zyxel.com Login to the device via the WAN interface with the administrator's user name and password. The screen will show Login denied. Figure 93 Login to the device via the WAN interface Login to the device via the LAN interface with the administrator's user name and password.
Page 62
www.zyxel.com Figure 94 Login to the device via the LAN interface 62/255...
Page 63
www.zyxel.com Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface. Figure 95 MONITOR > 63/255...
www.zyxel.com How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1) on the Windows 10 Operating System Set up the SSL VPN Tunnel with Windows 10 Please download SecuExtender version 4.0.0.1 from the download library of ZyXEL’s official website. Figure 96 Before you start installing the SecuExtender, it is required to install the “Visual C++ 2015 Redistributable”...
www.zyxel.com Double-click the shortcut icon on your desktop. It is the same as the SSL VPN standalone software on MAC OS X. Enter the server’s IP or domain name, user name, and password to connect to the server. The example below shows that the client IP is 7.7.7.1 and you can also check the traffic statistic in the Status screen.
Page 69
www.zyxel.com must use the same Username and Password as configured in the ZyWALL/USG to establish the SSL VPN tunnel. Figure 108 If you have uploaded a logo to show on the SSL VPN user screens but it does not display properly, check if the logo graphic is in GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed.
www.zyxel.com How to redirect multiple LAN interface traffic to the VPN tunnel This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 72
www.zyxel.com Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Select the rule to be Site-to-site. Click Next. Figure 112 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54).
Page 73
www.zyxel.com This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 114 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN >...
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
Page 75
www.zyxel.com Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Click Next. Figure 118 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters.
Page 76
www.zyxel.com Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZYWALL/USG.
www.zyxel.com appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the wizard. Figure 122 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings.
Page 78
www.zyxel.com Go to ZyWALL/USG_HQ CONFIGURATION > Network > Routing > Add. Set Source Address to be the subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. Set Destination Address to be the remote LAN subnet (192.168.10.0/24 in this example). Figure 124 CONFIGURATION >...
www.zyxel.com Set up the Policy Route (ZyWALL/USG_Branch) Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add, create Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. Figure 125 CONFIGURATION > Object > Address > Add 79/255...
www.zyxel.com Go to ZyWALL/USG_Branch CONFIGURATION > Network > Routing > Add. Set Source Address to be the local subnet (192.168.10.0/24 in this example). Set Destination Address to be the remote LAN subnet (192.168.2.0/24 in this example) allows joining the VPN tunnel. Figure 126 CONFIGURATION >...
Page 81
www.zyxel.com Figure 128 MONITOR > VPN Monitor > IPSec To test whether or not a tunnel is working, ping from a computer at one site to a computer at the other. Ensure that both computers have Internet access (via the IPSec devices).
www.zyxel.com Figure 131 PC at Branch Office > Window 7 > cmd > ping 192.168.2.33 What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 83
www.zyxel.com Figure 133 MONITOR > Log Make sure the both ZyWALL/USG at the HQ and Branch sites security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. Default NAT traversal is enable on ZyWALL/USG, please make sure the remote IPSec device must also have NAT traversal enabled.
www.zyxel.com How to Configure IPSec VPN Failover This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with failover. The example instructs how to configure the VPN tunnel between each site if one site has multi-WAN. When the multi-WAN VPN failover is configured, IPSec VPN tunnels automatically fail over to a backup WAN interface if the primary WAN interface becomes unavailable.
www.zyxel.com Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 86
www.zyxel.com Figure 137 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.100.30.54). Type a secure Pre-Shared Key (8-32 characters). Set Local Policy to be the IP address range of the network connected to the ZyWALL/USG and Remote Policy to be the IP address range of the network connected to the peer ZyWALL/USG.
Page 87
www.zyxel.com Figure 139 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN >...
www.zyxel.com Figure 141 CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings > Authentication > Peer ID Type Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings wizard to create a VPN rule that can be used with the remote ZyWALL/USG.
Page 89
www.zyxel.com Figure 143 Quick Setup > VPN Setup Wizard > Wizard Type Type the Rule Name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters. This value is case-sensitive. Click Next. Figure 144 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario) Configure Secure Gateway IP as the peer ZyWALL/USG’s WAN IP address (in the example, 172.101.30.68).
Page 90
www.zyxel.com Figure 145 Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Configuration) This screen provides a read-only summary of the VPN tunnel. Click Save. Figure 146 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Summary) Now the rule is configured on the ZyWALL/USG.
Page 91
www.zyxel.com Figure 147 Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway and click Show Advanced Settings. Configure Authentication > Peer ID Type as Any to let the ZyWALL/USG does not require to check the identity content of the remote IPSec router.
www.zyxel.com Figure 149 Configuration > VPN > IPSec VPN > VPN Gateway > Gateway Settings Set up the WAN Trunk (ZyWALL/USG_HQ) Go to CONFIGURATION > Interface > Trunk > User Configuration > Add. Select wan1 and wan2 into the trunk Member and set wan2 Mode to be Passive. Figure 150 CONFIGURATION >...
www.zyxel.com Go to CONFIGURATION > Interface > Trunk > Configuration. Select Disconnect Connection before Falling Back. In the Default WAN Trunk, select User Configured Trunk to be the customized WAN trunk added in the previous step (Multi_WAN_Failover in this example). Figure 151 CONFIGURATION >...
Page 94
www.zyxel.com Figure 152 CONFIGURATION > Security Policy > Policy Control > Add corresponding If the Security Policy is created but still cannot access to ZyWALL, please go to CONFIGURAITON > System > SSH to check do you Enable the General Settings and make sure the Service Port is correct and the same in your terminal program.
www.zyxel.com Enter the command line in terminal mode (Using Tera Term in this example). Figure 154 Tera Term command Test the IPSec VPN Tunnel Go to ZYWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click Connect on the upper bar. The Status connect icon is lit when the interface is connected.
www.zyxel.com Figure 157 MONITOR > Log What Could Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 97
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
www.zyxel.com How to Create VTI and Configure VPN Failover with VTI This example illustrates how to create a VTI object and configure a policy route with the VTI. Furthermore, it applies the VTI to the WAN trunk to achieve VPN load balancing.
www.zyxel.com Set Up the ZyWALL/USG VTI of Corporate Network (HQ) In the ZyWALL/USG, go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add to create the VPN gateway HQ1 with wan1. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add In the same screen, create the VPN gateway HQ2 with wan2.
Page 100
www.zyxel.com Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway HQ1. Select VPN Tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add In the same screen, create a VPN tunnel for the VPN gateway HQ2.
Page 101
www.zyxel.com Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel HQ1. Enable the connectivity check. Enter the IP address of vti1, which is configured on USG2. CONFIGURATION > Network > Interface > VTI > Add CONFIGURATION >...
Page 102
www.zyxel.com CONFIGURATION > Network > Interface > VTI > Add CONFIGURATION > Network > Interface > VTI > vti2 > Connectivity Check Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION >...
Page 103
www.zyxel.com Go to CONFIGURATION > Network > Routing > Policy Route > Add to configure a policy route. Source Address: LAN1_SUBNET (192.168.1.0/24) Destination Address: BO_subnet (192.168.11.0/24) Next-Hop: HQ_vti_trunk SNAT: none CONFIGURATION > Network > Routing > Policy Route > Add Connect the VPN tunnels when the VTIs are ready.
www.zyxel.com 10 Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established. CONFIGURATION > Network > Interface > VTI Set Up the ZyWALL/USG VTI of Corporate Network (Branch) In the ZyWALL/USG, go to CONFIGURATION >...
Page 105
www.zyxel.com In the same screen, create the VPN gateway BO2 with wan2. CONFIGURATION > VPN > IPSec VPN > VPN Gateway > Add Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add and configure a VPN tunnel for the VPN gateway BO1. Select VPN Tunnel Interface as the application scenario.
Page 106
www.zyxel.com In the same screen, create a VPN tunnel for the VPN gateway BO2. Select VPN tunnel Interface as the application scenario. CONFIGURATION > VPN > IPSec VPN > VPN Connection > Add 106/255...
Page 107
www.zyxel.com Go to CONFIGURATION > Network > Interface > VTI > Add to create a VTI for the VPN tunnel BO1. Be aware that the IP address of this VTI must be in the same subnet as vti1 on USG1. In this example, the IP address and subnet mask of vti1 on USG1 is 10.10.10.10 and 255.255.255.0 respectively.
Page 108
www.zyxel.com In the same screen, create a VTI for the VPN tunnel BO2. Be aware that the IP address of this VTI must be in the same subnet as vti2 on USG1. In this example, the IP address and subnet mask of vti2 on USG1 is 10.10.11.10 and 255.255.255.0 respectively.
Page 109
www.zyxel.com Go to CONFIGURATION > Network > Interface > Trunk > User Configuration > Add to create a new trunk. Add vti1 and vti2 to the new trunk. CONFIGURATION > Network > Interface > Trunk > User Configuration > Add Go to CONFIGURATION >...
Page 110
www.zyxel.com Connect the VPN tunnels when the VTIs are ready. Go to CONFIGURATION > VPN > IPSec VPN > VPN Connection to connect the VPN tunnels. 110/255...
www.zyxel.com CONFIGURATION > VPN > IPSec VPN > VPN Connection > Connect 10 Go to CONFIGURATION > Network > Interface > VTI. You will see that the status of the VTI is up when the corresponding VPN tunnel is established. CONFIGURATION >...
Page 112
www.zyxel.com To test whether or not VPN failover is working, unplug wan1 of USG1. Then ping from a PC in LAN1 of USG1 to a PC in LAN1 of USG2 and vice versa. Check the VPN status of the USG1 in the MONITOR > VPN Monitor > IPSec screen.
www.zyxel.com PC of USG2 (192.168.11.33) > Window 7 > cmd > ping 192.168.1.34 What Can Go Wrong? If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Pre-Shared Key, Encryption, Authentication method, DH key group and ID Type to establish the IKE SA.
Page 114
www.zyxel.com If you see that Phase 1 IKE SA process done but still get below [info] log message, please check ZyWALL/USG Phase 2 Settings. Both ZyWALL/USG at the HQ and Branch sites must use the same Protocol, Encapsulation, Encryption, Authentication method and PFS to establish the IKE SA.
www.zyxel.com the Branch must be in the subnet of 10.10.10.0/24, and so on. How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android mobile phone This is an example of using the L2TP VPN and VPN client software included in Android mobile phone operating systems.
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the Android mobile phone clients.
Page 117
www.zyxel.com Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click OK. Figure 163 Quick Setup >...
Page 118
www.zyxel.com Figure 165 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Android mobile phone. Figure 166 CONFIGURATION >...
Page 119
www.zyxel.com Figure 167 CONFIGURATION > VPN > L2TP VPN > Create new Object > User 119/255...
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to Android Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. Figure 168 CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) Figure 169 CONFIGURATION >...
www.zyxel.com Set Up the L2TP VPN Tunnel on the Android Mobile Device To configure L2TP VPN in Android, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in). Configure Connection name for you to identify the VPN configuration.
Page 122
www.zyxel.com Figure 171 Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. 122/255...
www.zyxel.com Go to Network & Internet Settings window, click Connect. Figure 173 Test the L2TP over IPSec VPN Tunnel Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. Figure 174 CONFIGURATION >...
Page 125
www.zyxel.com Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity. Figure 175 Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN Go to ZyWALL/USG MONITOR >...
www.zyxel.com What Could Go Wrong? If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Android users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN. Figure 178 If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
Page 127
www.zyxel.com Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use. If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel.
www.zyxel.com How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile phone This is an example of using the L2TP VPN and VPN client software included in Android mobile phone operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from an iOS mobile phone.
www.zyxel.com Set Up the L2TP VPN Tunnel on the ZyWALL/USG In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the iOS mobile phone clients.
Page 130
www.zyxel.com Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click OK. Figure 184 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings) This screen provides a read-only summary of the VPN tunnel.
Page 131
www.zyxel.com Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard. Figure 186 Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed Go to CONFIGURATION >...
Page 132
www.zyxel.com Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example). Figure 188 CONFIGURATION > VPN > L2TP VPN > Create new Object > User 132/255...
www.zyxel.com Export a Certificate from ZyWALL/USG and Import it to iOS Mobile Phone Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit. Figure 189 CONFIGURATION > Object > Certificate > default Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example) Figure 190 CONFIGURATION >...
www.zyxel.com default.p12 Figure 191 Set Up the L2TP VPN Tunnel on the iOS Mobile Device To configure L2TP VPN in iOS operating system, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows. VPN Provider set to Windows (built-in).
Page 135
www.zyxel.com Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication. Figure 193 135/255...
www.zyxel.com Go to Network & Internet Settings window, click Connect. Figure 194 Test the L2TP over IPSec VPN Tunnel 1. Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected. Figure 195 CONFIGURATION >...
www.zyxel.com 3. Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session. Figure 197 MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users 4. Go to iOS operating system Start > Settings > Network & Internet > VPN and show Connected status.
Page 139
www.zyxel.com 2. If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. iOS users must use the same Pre-Shared Key as configured in ZyWALL/USG to establish the IKE SA. Figure 200 3. If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings.
www.zyxel.com How to configure the USG when using a Cloud Based SIP system This example shows how to configure USG when there is a Cloud Based SIP system. The IP phones are more and more popular nowadays. USG supports the scenario as IP phones located in LAN and connect to internet to register the SIP server.
www.zyxel.com Set Up the SIP ALG Go to CONFIGURATION > Network > ALG, and check “Enable SIP ALG”. Also, check the “Enable SIP Transformations” if the SIP content which is needed to be transform. Then click “Apply”. Figure 203 CONFIGURATION > Network > ALG Direct-media and Direct-signalling are activated after ZLD 4.20.
www.zyxel.com Router(config)# no alg sip direct-signalling Router(config)# no alg sip direct-media Test result Connect SIP phone to the USG, and check the register status. Register successfully. Figure 205 Check the SIP register status on PBX. Figure 206 What could go wrong? SIP phone does not support transform itself, but the “SIP Transformations”...
www.zyxel.com How to block HTTPS websites by Domain Filter without applying SSL Inspection The Content Filter with HTTPs Domain Filter allows you to block HTTPs websites by category service without SSL-Inspection. The filtering feature is based on more than 50 Managed Categories built in ZyWALL/USG such as pornography, gambling, hacking, etc.
www.zyxel.com Set Up the Content Filter on the ZyWALL/USG Go to CONFIGURATION > UTM Profile> Content Filter > Profile > General Settings. Select Enable HTTPS Domain Filter for HTTPS traffic. Figure 209 Go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter Profile >...
Page 145
www.zyxel.com Figure 212 Scroll down to the Managed Categories section, select categories in this section to control access to specific types of Internet content. You must have the Content Filtering license to filter these categories. Figure 213 145/255...
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Social_Net_Block in this example). Figure 214 Set Up the System Policy on the ZyWALL/USG Go to CONFIGURATION >...
www.zyxel.com Test the Result Type http://www.facebook.com/ or https://www.facebook.com/ into the browser, the error message occurs. Figure 216 147/255...
Page 148
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below. HTTP traffic log matches (Content Filter) and HTTPS traffic log matches (HTTPS Domain Filter) in message field. Figure 217 Monitor > Log 148/255...
www.zyxel.com How to configure Content Filter 2.0 - Geo IP Blocking The Content Filter 2.0 - Geo IP blocking offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy.
www.zyxel.com Set Up the Address Objet with Geo IP on the ZyWALL/USG Figure 219 Go to CONFIGURATION > Object > Address/Geo IP > Address > Add Address Rule. Figure 220 Go to CONFIGURATION > Object > Address/Geo IP > Address, you can see the customized GEOGRAPHY address.
www.zyxel.com Set Up the Security Policy on the ZyWALL/USG Figure 221 Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set Geo IP traffic from WAN to LAN allow source from local country (geo_allow_policy in this example).
www.zyxel.com Test the Result Type http://csosuppport.ddns.net/ into the browser, and the http can be reached. Figure 223 Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. Figure 224 152/255...
www.zyxel.com What could go wrong 1. The Security Policy configured wrong. The traffic cannot access the LAN server. Figure 225 2. The Content-Filter service ix expired. Since Geo-IP server is bind with Content-Filter license, there must be available date for Content-Filter service. 153/255...
www.zyxel.com How to block the client accessing to certain country using Geo IP and Content Filter The Content Filter with Geo IP offers identify the country based on IP address, it allows you to block the client accessing to certain country based on organizational policy. When user makes HTTP or HTTPS request, ZyWALL/USG query IP address from MaxMind database, then take action when it matches the block country in Content Filter profile.
www.zyxel.com Check Geo IP License Status on the ZyWALL/USG Go to CONFIGURATION > Licensing > Registration > Service, the Geo IP Service should be Licensed to configure this feature. Figure 227 Set Up the Address Objet with Geo IP on the ZyWALL/USG Go to CONFIGURATION >...
www.zyxel.com Go to CONFIGURATION > Object > Address/Geo IP > Address Group> Add Address Group Rule, add all customized GEOGRAPHY address into the same Member object. Figure 230 Set Up the Security Policy on the ZyWALL/USG Go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile.
www.zyxel.com Test the Result Type http://www.pku.edu.cn/ https://www.rwth-aachen.de/ into the browser, sites can’t be reached. Figure 232 158/255...
Page 159
www.zyxel.com Go to the ZyWALL/USG Monitor > Log, you will see [notice] log message such as below. Traffic matches Geo IP policy will be blocked and shows in message field. Figure 233 159/255...
www.zyxel.com How to set up Link Aggregation Group (LAG) A Link Aggregation Group (LAG) allows you to combine a number of physical ports together to create a single high bandwidth data path. It helps to implement the traffic to perform load balancing or failover features, depending on the situation of the actual case.
Page 161
www.zyxel.com On the USG, go to Configuration > Network > Interface > LAG. Choose the proper interface type and zone depending on the case. Also, select the slave ports that will be added in the LAG interface. The interface format will be lagx (x = 0~3). Figure 235 Link Monitoring: You can choose link up/down detection (specify the MII link monitoring frequency or...
Page 162
www.zyxel.com Updelay is the time to wait to enable the slave port after the device detects the link recovery. Downdelay is the time to wait to disable the slave port after the device detects the link failure. Figure 237 The taget IP can be the Layer 3 device or the host IP, can be reachable by the USG. 802.3ad (LACP) Mode: (Both devices need to be configured.
Page 163
www.zyxel.com Figure 239 Xmit Hash Policy: Xmit Hash policy: Select layer2 or layer2+3. Select layer 2 if the LAG interface is connect to a layer 2 subnet. Select layer 2+3 if the LAG interface is connect to a network with a router or a L3 switch.
www.zyxel.com LACP rate: The interval can be fast (every second) or slow (every 30 seconds). Balance-alb Mode: (Does not require configuration on the switch and one or multiple switches can be used.) Figure 241 Set up the active-backup mode. The VLAN interface is cross-connected to different switches and the link statuses on both switches are active.
Page 165
www.zyxel.com The VLAN interface is cross-connected to different switches (fault tolerance). Figure 244 Only one link connection is up and the other is down. In this case, you will need to use the active-backup mode. Figure 245 You can find the LAG interface in the VLAN interface. Figure 247 165/255...
www.zyxel.com Test the Result After the deployment you can see the interface status through Monitor>interface Status Figure 248 Below we are using 802.3ad LAG interface with Vlan66 for the example, unplug one of the network cable during the ping, the connection should still alive after one ping lost. Figure 249 What can go wrong 1.
www.zyxel.com How to Restrict Web Portal access from the Internet This example shows how to use the VPN Setup Wizard to create a site-to-site VPN with multiple LAN access to the VPN tunnel. The example instructs how to configure the VPN tunnel between each site and redirect multiple LAN interface traffic to the VPN tunnel.
www.zyxel.com Set Up the ZyWALL/USG System Setting Go to CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1. Set the address access action as Deny for ALL address in WAN. Figure 251 CONFIGURATION > System > WWW > Admin Service Control > Add Admin ACL Rule 1 168/255...
www.zyxel.com Test the Web Access Login to the device via the WAN interface with the administrator's user name and password. The screen will show Login denied. Figure 252 Login to the device via the WAN interface Login to the device via the LAN interface with the administrator's user name and password.
Page 170
www.zyxel.com Go to MONITOR > Log. You can see that the admin login has been denied access from the WAN interface but it is allowed from the LAN interface. Figure 254 MONITOR > Log 170/255...
www.zyxel.com How to Setup and Configure Daily Report This example shows how to set up the data collection and view various statistics about traffic passing through your ZyWALL/USG. When the Daily Report is configured, you will receive statistics report every day. Figure 255 ZyWALL/USG Setup and Configure Daily Report Note: All network IP addresses and subnet masks are used as examples in this article.
www.zyxel.com Set Up the ZyWALL/USG Email Daily Report Setting Go to CONFIGURATION > Log & Report > Email Daily Report > General Settings. Select Enable Email Daily Report to send reports by e-mail every day. Figure 256 CONFIGURATION > Log & Report > Email Daily Report > General Settings Type the SMTP server name or IP address.
www.zyxel.com Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period. Figure 259 CONFIGURATION > Log & Report > Email Daily Report > Report Items Test the Daily Log Report Click Send Report Now to have the ZyWALL/USG send the daily e-mail report immediately.
www.zyxel.com You will receive a daily report mail. Figure 261 ZyXEL Daily Report Mail What Could Go Wrong? Make sure your Email settings are all correct. Figure 262 CONFIGURATION > Log & Report > Email Daily Report > Email Settings Make sure your ZyWALL to WAN security policy allow.
www.zyxel.com How to Setup and Configure Email Logs This example shows how to set up the e-mail profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to e-mail, and where and how often to e-mail them. When the Email Logs is configured, you will receive logs email report base on customized schedule.
www.zyxel.com Set Up the ZyWALL/USG Email Logs Setting 1. Go to CONFIGURATION > Log & Report > Log Settings > System Log > Edit > E-mail Server 1. Select Active. Type the SMTP server name or IP address. In Mail From, type the e-mail address from which the outgoing e-mail is delivered.
Page 177
www.zyxel.com 5. Go to CONFIGURATION > Log & Report > Log Settings > System Log > Edit > Active Log and Alert. Use the System Log drop-down list to change the log settings for all of the log categories. Figure 265 CONFIGURATION > Log & Report > Log Settings > System Log > Edit > Active Log and Alert.
www.zyxel.com Test the Email Log You will receive a log mail depends on the time you set in the E-mail Server. Figure 266 ZyXEL Log Mail What Could Go Wrong? Make sure your Email settings are all correct. Figure 267 CONFIGURATION > Log & Report > Email Daily Report > Email Settings Make sure your ZyWALL to WAN security policy allow.
www.zyxel.com How to setup and send logs to a Syslog Server This example shows how to set up the syslog server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to syslog server. When the syslog server is configured, you will receive the real time system logs.
www.zyxel.com Set Up the Syslog Server (Use Papertrail syslog in this example) Register an account on Papertrail: https://papertrailapp.com Go to Dashboard > Add Systems. Figure 269 Dashboard > Add Systems Select Not shown here? and My syslog daemon only sends to port 514. Figure 270 Dashboard >...
Page 181
www.zyxel.com Select My syslogd only uses the default port, set ZyWALL/USG public IP address (111.250.188.9 in this example) and name the log system. Click Save. Figure 271 Dashboard > Add Systems > > I’m using > Choose your situation Write down the Papertrail-provided domain name (logs.papertrialpp.com in this example).
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting 1. Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be CEF/Syslog. Type the Server Address to be the Papertrail-provided domain name (logs.papertrialpp.com in this example). 2.
www.zyxel.com Figure 273 CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit Test the Remote Server You will receive a log mail depends on the time you set in the E-mail Server. Figure 274 ZyXEL Log Mail 183/255...
www.zyxel.com What Could Go Wrong? Make sure your Log settings for Remote Server are all correct. Figure 275 CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. 184/255...
www.zyxel.com How to setup and send logs to a Vantage Reports Server This example shows how to set up the Vantage Report Server profiles to mail ZyWALL/USG log messages to the specific destinations. You can also specify which log messages to Vantage Report Server. When the Vantage Report Server is configured, you will receive the real time system logs.
www.zyxel.com Set Up the VRPT Server 1. The Vantage Report server must have register account http://www.myZyXEL.com. 2. Install VRPT software: http://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=M-01 339&md=VRPT 4. Unzipped the file and click Vantage Reeport.exe to start installing Vantage Report. Then, the Vantage Report installation wizard appears. Click Next. Figure 277 5.
Page 187
www.zyxel.com Figure 278 Check if any applications also use port 3316 (TCP), 514 (UDP) or 8080 (UDP) by entering “netstat -a” into the command line. Uninstall them if any. Click OK. Figure 279 When you finish installing Vantage Report, restart the Vantage Report server. 7.
Page 188
www.zyxel.com Figure 280 Go to Dashboard > License Information > Manage Device, click Add Device, the Add Device screen appears on the left side. Enter the Name of the device you want to add to Vantage Report. Enter the LAN MAC address of the device you want to add.
www.zyxel.com Set Up the ZyWALL/USG Remote Server Setting Go to CONFIGURATION > Log & Report > Log Settings > Remote Server > Edit. Set Log Format to be VRPT/Syslog. Type the Server Address to be the Vantage Report server IP address (10.251.30.61 in this example).
www.zyxel.com Figure 283 VRPT Server > Logs > Log Viewer What Could Go Wrong? Make sure your Log settings for Remote Server are all correct. Figure 284 CONFIGURATION > Log & Report > Log Settings > Remote Server Make sure your ZyWALL to WAN security policy allow traffic to log server. 190/255...
www.zyxel.com How to enable and send logs to the USB storage This example shows how to use the USB device to store the system log information. Figure 285 ZyWALL/USG enable and send logs to the USB storage Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system.
www.zyxel.com Set Up the USB System Settings Go to CONFIGURATION > System > USB Storage > Settings > General. Select Activate USB storage service if you want to use the connected USB device(s). Set a number and select a unit (MB or %) to have the ZyWALL/USG send a warning message when the remaining USB storage space is less than the value you set here.
www.zyxel.com Go to CONFIGURATION > Log & Report > Log Settings > USB Storage > Edit. Select Duplicate logs to USB storage (if ready) to have the ZyWALL/USG save a copy of its system logs to a connected USB storage device. Use the Selection drop-down list to change the log settings for all of the log categories.
www.zyxel.com How to create a Wi-Fi VLAN interfaces to separate staff network and Guest network This example shows how to create Wi-Fi VLAN interfaces to separate staff network and Guest network. Suppose there should be no limitation for the staff network, but restrict the guests not access the USG.
www.zyxel.com Set up Wi-Fi VLAN interfaces Create VLAN interfaces Go to CONFIGURATION > Object > Zone. Create a zone for the guest. Figure 291 CONFIGURATION > Object > Zone Go to CONFIGURATION > Network > Interface > VLAN. Create VLAN16 for Staff_WiFi and VLAN17 for Guest_WiF Figure 292 CONFIGURATION >...
Page 196
www.zyxel.com Figure 293 CONFIGURATION > Network > Interface > VLAN > VLAN17 There will be two VLAN interfaces. Figure 294 CONFIGURATION > Network > Interface > VLAN 196/255...
Page 197
www.zyxel.com Set Up the User Go to Configuration > Object > User/Group > User, and create users for the staff and the guest Figure 295 Configuration > Object > User/Group > User > staff Figure 296 Configuration > Object > User/Group > User > guest 197/255...
Page 198
www.zyxel.com There will be two users. Figure 297 Set Up the AP Profile Go to CONFIGURATION > Object > AP Profile > SSID > Security List, and create two security profiles. Figure 298 CONFIGURATION > Object > AP Profile > SSID > Security List > Guest_WPA2 198/255...
Page 199
www.zyxel.com Figure 299 CONFIGURATION > Object > AP Profile > SSID > Security List > Staff_WPA2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and create two SSID profiles. Figure 300 CONFIGURATION > Object > AP Profile > SSID > SSID List > Staff_Wifi 199/255...
Page 200
www.zyxel.com Figure 301 CONFIGURATION > Object > AP Profile > SSID > SSID List > Guest_Wifi Go to CONFIGURATION > Wireless > AP Management > AP Group, and add an AP Group as WiFi. Figure 302 CONFIGURATION > Wireless > AP Management > AP Group Go to CONFIGURATION >...
Page 201
www.zyxel.com Figure 303 CONFIGURATION > Wireless > AP Management > Mgnt. AP List, Set Up the Security policy rule Go to CONFIGURATION > Security Policy > Policy Control > Policy. Add one rule to restrict Guest access USG, and another one to allow to access internet. Figure 304 CONFIGURATION >...
www.zyxel.com Figure 305 CONFIGURATION > Security Policy > Policy Control > Policy > Guest_Internet Test result. Connect to the SSID Staff_WiFi, and ping the USG interface. Figure 306 202/255...
www.zyxel.com Connect to the SSID Guest_WiFi, and ping the USG interface Figure 307 What could go wrong Figure 308 Choose the wrong zone for the Guest VLAN interface. 203/255...
Page 204
www.zyxel.com Figure 309 Not change the AP to the correct group Figure 310 Not create the correct rule to block the Guest to access USG 204/255...
www.zyxel.com How to Activate a Free Access Hotspot Some hotels need to provide free Internet services to hundreds of guests on a daily basis, and managing the Internet access for so many people can be very complicated without the right equipment. With web authentication methods such as user agreement and web portal, hotel guests are redirected to a web-based authentication portal upon the first attempt to access the network.
www.zyxel.com Configuration Guide Network Conditions WAN: 10.251.31.112 LAN 1: 192.168.1.1/255.255.255.0 User’s laptop: 192.168.1.33 Set up the Free Access Hotspot Configurations on the USG1100 The user agreement of this feature allows clients to access the Internet without a guest account.
Page 207
www.zyxel.com Figure 313 2. Go to Configuration > Hotspot > Advertisement. (1) Select Enable Advertisement. (2) Add the URL of the website that you want to advertise. Figure 314 207/255...
www.zyxel.com Test the User Agreement and Advertisement Webpage 1. When a client attempts to access the Internet via a browser, he/she will be redirected to the user agreement page. Figure 315 2. The advertisement webpage will be displayed in a new window and it is the first page that appears whenever the user connects to the Internet.
www.zyxel.com Figure 316 What could Go Wrong? If users can access the internet without any Authentication, please make sure the Source Address is configured on the correct the subnet. For example, if you want users to be controlled via authentication in Subnet 192.168.1.0/24, you need to make sure the Source Address should be 192.168.1.0/24 Figure 317 209/255...
www.zyxel.com Set up Enable the Free Time Feature Configurations on the USG1100 On the USG1100, you need to enable the SMS service and select SMS as the delivery method in the Free Time feature. 1. Register for a ViaNett account at http://www.vianett.com.
Page 211
www.zyxel.com 3. After the form has been submitted, the account information will be sent to your E-mail address. Figure 320 Figure 321 211/255...
Page 212
www.zyxel.com Figure 322 4. Enter the activation code and proceed to make the payment. Figure 321 5. Fill-in the credit card information to complete the payment. 212/255...
Page 213
www.zyxel.com Figure 322 The payment is complete. Figure 323 6. After the ViaNett account is ready, go to the USG1100’s Configuration > Hotspot > SMS screen. (1)Enable SMS. (2)Fill-in your local phone country code as the default country code. 213/255...
Page 214
www.zyxel.com (3) Add authentication policy for every source. Figure 324 7. Go to Configuration > Hotspot > Free Time. (1) Select Enable Free Time and set up the free time period. By default, the Reset Time is at AM 00:00. You can also set up how many times a MAC address can access the Internet.
www.zyxel.com Figure 326 9. Select Enable Policy, Force User Authentication, and then select default-web-portal as the Authentication Type. Figure 327 Test Free Time Feature 1. The user will be redirected to the Login screen before he/she is permitted to access the Internet.
Page 216
www.zyxel.com Figure 328 Select Free Time as the service plan. Then submit your country code and mobile phone number. Figure 329 216/255...
Page 217
www.zyxel.com 3. The account and password will be sent to your mobile phone. Figure 330 4. Check your account information. Figure 331 5. Fill-in the account information received on your mobile phone and click Login. 217/255...
www.zyxel.com Figure 332 6. Now the client can start accessing the Internet. Figure 333 What Can Go Wrong? If client cannot get the SMS message from ViaNett, please make sure the Country code, Username and Password are all correct. 218/255...
www.zyxel.com How to Enable Device HA Pro The Device HA feature acts as a failover when one of the devices in the network is dead or can’t access the Internet. Therefore, this is a popular feature for network environments. In the previous firmware version, the USG supports AP (Activate-Passive/Master-Backup) mode.
www.zyxel.com Device HA Pro License The Device HA Pro feature is license required. You must register both of your devices on the myZyXEL.com server first. Then make sure the Device HA Pro license is available on both of your devices. Figure 337 221/255...
www.zyxel.com Behavior of the Device HA Pro The behavior of the Device HA Pro includes a heartbeat link to monitor the “activate” device’s interface status. If one of the monitored interfaces is dead or fails, the “passive” device’s status will became “activate”. (This means only 1 device’s status can be “activate”...
www.zyxel.com Heartbeat Link The heartbeat port is the latest physical port on the device. After you have enabled Device HA Pro, the devices will transmit multicast packets (UDP 694) to check each device’s status. When the passive device is working properly, the system LED light will be on. Only the heartbeat port’s LED light can be on.
Page 225
www.zyxel.com The Device HA Pro feature is license required. Please go to register both of your devices on myZyXEL.com and make sure the devices have the license after syncing with the myZyXEL.com server. Figure 341 2. Configurations on the Primary Device: The Device HA Pro feature is license required.
Page 226
www.zyxel.com Go to the Configuration > Device HA > General screen. - Select Enable Device HA and click Apply to enable Device HA Pro. Figure 343 226/255...
Page 227
www.zyxel.com 3. Configurations on the Secondary Device: Go to the Configuration > Device HA > Device-HA Pro screen. -Select Enable Configuration Provisioning From Active Device. -Click Apply. Figure 344 227/255...
Page 228
www.zyxel.com Go to the Configuration > Device HA > General screen. -Select Enable Device HA and click Apply. -Before the Device HA Pro feature is enabled on the secondary device, a warning message will pop-up for you to confirm. Click OK to enable it. Figure 345 228/255...
www.zyxel.com 4. Connecting the Device HA Pro Port: The Device HA Pro port is the latest physical port on the DUT. You can use a cable to connect the devices with each other. What can go wrong Why I can’t see correct license status from myzyxel.com server? On the Device-HA Pro setting, there is a function “Serial number of the licensed device for license synchronization”.
Page 230
www.zyxel.com device? Because Device-HA Pro purpose is for networking environment stability, so after mechanism failover to secondary device it will keeping the latest status even primary device is back. It can avoided the network service unstable. 230/255...
www.zyxel.com How to Set Up IPv6 Interfaces For Pure IPv6 Routing This example shows how to configure your USG Z’s WAN and LAN interfaces which connects two IPv6 networks. USG Z periodically advertises a network prefix of 2006:1111:1111:1111::/64 to the LAN through router advertisements. Figure 346 ZyWALL/USG access the internet via IPv6 Note: Instead of using router advertisement, you can use DHCPv6 to pass the...
www.zyxel.com Setting Up the IPv6 Interface 1. In the CONFIGURATION > Network > Interface > Ethernet screen’s IPv6 Configuration section, double-click the wan1. 2. The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6. Select Enable Auto-Configuration. Click OK. Note: Your ISP or uplink router should enable router advertisement.
Page 233
www.zyxel.com Figure 348 3. Using command line ipconfig to check. Figure 349 233/255...
www.zyxel.com Set up the Prefix Delegation and Router Advertisement This example shows how to configure prefix delegation on the ZyWALL’s WAN and router advertisement on the LAN. Apply a network Prefix From Your ISP First of all, you have to apply a network prefix from your ISP or the uplink router’s administrator.
Page 235
www.zyxel.com Click Add in the DHCPv6 Request Options table and select the DHCPv6 request object you just created. You cannot see the prefix your ISP gave you in the Value field until you click OK and then come back to this screen again. It is 2001:b050:2d::/48 in this example. Note: Your ISP or a DHCPv6 server in the same network as the WAN should assign an IPv6 IP address for the WAN interface.
Page 236
www.zyxel.com Figure 352 Setting Up the WAN IPv6 Interface 1. In the Configuration > Network > Interface > Ethernet screen, double-click the lan interface in the IPv6 Configuration section. 2. The Edit Ethernet screen appears. Click Show Advanced Settings to display more settings on this screen.
Page 237
www.zyxel.com Address field. (The combined prefix 2001:b050:2d:1111::/64 will display for the LAN1’s network prefix after you click OK and come back to this screen again). Figure 353 237/255...
www.zyxel.com Test 1. Connect a computer to the ZyWALL’s LAN interface. 2. Enable IPv6 support on you computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel >...
Page 239
www.zyxel.com 3. If the Value field in the WAN1’s DHCPv6 Request Options table displays n/a, contact your ISP for further support. 4. In Windows, some IPv6 related tunnels may be enabled by default such as Teredo and 6to4 tunnels. It may cause your computer to handle IPv6 packets in an unexpected way.
www.zyxel.com How to Perform and Use the Packet Capture Feature on the ZyWALL/USG This example shows how to use the Packet Capture feature to capture network traffic going through the ZyWALL/USG’s interfaces. Studying these packet captures may help you identify network problems. Figure 358 ZyWALL/USG Packet Capture Feature Settings Note: New capture files overwrite existing files of the same name.
www.zyxel.com Set Up the Packet Capture Feature Go to MAINTENANCE > Diagnostics > Packet Capture > Capture > Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list. Figure 359 10 Go to MAINTENANCE >...
Page 243
www.zyxel.com 11 Go to MAINTENANCE > Diagnostics > Packet Capture > Capture > Misc setitng. Select Continuously capture and overwrite old ones to have the ZyWALL/USG keep capturing traffic and overwriting old packet capture entries when the available storage space runs out. Select Save data to onboard storage only or Save data to USB storage (If status shows service deactivated, go to CONFIGURATION >...
www.zyxel.com 13 Click Stop when collection is done. Figure 363 Check the Capture Files Go to MAINTENANCE > Diagnostics > Packet Capture > Files, select the .cap file and click Download. Figure 364 244/255...
Page 245
www.zyxel.com Open .cap files with Wireshark Figure 365 245/255...
www.zyxel.com How to Automatically Reboot the ZyWALL/USG by Schedule This example shows how to use shell script and schedule run to reboot device automatically for maintenance purpose. Figure 366 ZyWALL/USG Auto Schedule Reboot Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.15). 246/255...
www.zyxel.com Set Up the Shell Script Run Windows Notepad application and input below command: Figure 367 Save this file as "reboot_device.zysh" Figure 368 In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the reboot_device.zysh file. Click Upload to begin the upload process. Figure 369 247/255...
www.zyxel.com Set Up the Schedule Run Login the device via console/telnet/SSH (using PuTTY in this example) Figure 370 Issuing below commands based on three different (daily, weekly and monthly) user scenarios: a. Router(config)# schedule-run 1 reboot_device.zysh daily 10:00 (The device will reboot at 10:00 everyday) Figure 371 248/255...
www.zyxel.com b. Router(config)# schedule-run 1 reboot_device.zysh weekly 10:00 sun (The device will reboot at 10:00 every Sunday) Figure 372 c. Router(config)# schedule-run 1 reboot_device.zysh monthly 10:00 23 (The device will reboot at 10:00 every month on 23th) Figure 373 Check the Reboot Status Login the device via console/telnet/SSH (using PuTTY in this example), the reboot runs as scheduled 249/255...
Page 250
www.zyxel.com Figure 374 Figure Putty Go to DASHBOARD > System Status, check System Uptime, Current Date/Time and Boot Status. Figure 375 Figure DASHBOARD > System Status 250/255...
www.zyxel.com How to continuously run a ZySH script This example shows how to use shell script and continuously run a ZySH script automatically for maintenance purpose. Figure 376 ZyWALL/USG continuously run a ZySH script Settings Note: This example was tested using USG110 (Firmware Version: ZLD 4.15). 251/255...
www.zyxel.com Set Up the Shell Script Run Windows Notepad application and input below command: Figure 377 Save this file as "disable_firewall.zysh" Figure 378 Run Windows Notepad application and input below command: Figure 379 Save this file as "enable_firewall.zysh" 252/255...
Page 253
www.zyxel.com Figure 380 In the ZyWALL/USG, go to MAINTENANCE > File Manager > Shell Script. Click Browse... to find the disable_firewall.zysh and enable_firewall.zysh file. Click Upload to begin the upload process. Figure 381 Set Up the Schedule Run Login the device via console/telnet/SSH (using PuTTY in this example) 253/255...
Page 254
www.zyxel.com Figure 382 Issuing below commands: Router> configure terminal Router(config)# schedule-run 1 disable_firewall.zysh daily 01:00 Figure 383 Check the Result In the ZyWALL/USG, go to DASHBOARD. Refresh the Secure Service Status, the Security Policy Control is disabled at 1:00. 254/255...
Page 255
www.zyxel.com Figure 384 DASHBOARD In the ZyWALL/USG, go to DASHBOARD. Refresh the Secure Service Status, the Security Policy Control is enabled at 2:00. Figure 385 DASHBOARD 255/255...