ZyXEL Communications USG FLEX H Series User Manual page 430

• If the sites are/were previously connected using a leased line or ISDN router, physically disconnect
these devices from the network before testing your new VPN connection. The old route may have
been learned by RIP and would take priority over the new VPN connection.
• To test whether or not a tunnel is working, ping from a computer at one site to a computer at the
other.
Before doing so, ensure that both computers have Internet access (via the IPSec routers).
• It is also helpful to have a way to look at the packets that are being sent and received by the Zyxel
Device and remote IPSec router (for example, by using a packet sniffer).
Check the configuration for the following Zyxel Device features.
• The Zyxel Device does not put IPSec SAs in the routing table. You must create a policy route for each
VPN tunnel.
• Make sure the To-Zyxel Device security policies allow IPSec VPN traffic to the Zyxel Device. IKE uses
UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
• The Zyxel Device supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make
sure the To-Zyxel Device security policies allow UDP port 4500 too.
• Make sure regular security policies allow traffic between the VPN tunnel and the rest of the network.
Regular security policies check packets the Zyxel Device sends before the Zyxel Device encrypts
them and check packets the Zyxel Device receives after the Zyxel Device decrypts them. This
depends on the zone to which you assign the VPN tunnel and the zone from which and to which
traffic may be routed.
• If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you
are using).
• If you have the Zyxel Device and remote IPSec router use certificates to authenticate each other, You
must set up the certificates for the Zyxel Device and remote IPSec router first and make sure they trust
each other's certificates. If the Zyxel Device's certificate is self-signed, import it into the remote IPSec
router. If it is signed by a CA, make sure the remote IPSec router trusts that CA. The Zyxel Device uses
one of its Trusted Certificates to authenticate the remote IPSec router's certificate. The trusted
certificate can be the remote IPSec router's self-signed certificate or that of a trusted CA that signed
the remote IPSec router's certificate.
• Multiple SAs connecting through a secure gateway must have the same negotiation mode.
The VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel.
If you have the Configuration > VPN > IPSec VPN > VPN Connection screen's Use Policy Route to control
dynamic IPSec rules option enabled, check the routing policies to see if they are sending traffic
elsewhere instead of through the VPN tunnels.
I cannot download the Zyxel Device's firmware package.
The Zyxel Device's firmware package cannot go through the Zyxel Device when you enable the anti-
malware Destroy compressed files that could not be decompressed option. The Zyxel Device classifies
the firmware package as not being able to be decompressed and deletes it.
You can upload the firmware package to the Zyxel Device with the option enabled, so you only need
to clear the Destroy compressed files that could not be decompressed option while you download the
Chapter 29 Troubleshooting
USG FLEX H Series User's Guide
430