What Could Go Wrong - ZyXEL Communications ZyWALL ATP Series Handbook

www.zyxel.com

What Could Go Wrong?

If you see below [info] or [error] log message, please check ZyWALL/USG Phase 1
Settings. Both ZyWALL/USG and Cisco must use the same Pre-Shared Key,
Encryption, Authentication method, DH key group and ID Type to establish the
IKE SA.
MONITOR > Log
If you see that Phase 1 IKE SA process done but still get below [info] log message,
please check ZyWALL/USG and Cisco Phase 2 Settings. Both ZyWALL/USG and
Cisco must use the same Protocol, Encapsulation, Encryption, Authentication
method and PFS to establish the IKE SA.
MONITOR > Log
Make sure the both ZyWALL/USG and Cisco security policies allow IPSec VPN
traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
Default NAT traversal is enable on ZyWALL/USG, please make sure the remote
IPSec device must also have NAT traversal enabled.
211/782