ZyXEL Communications ZyWall USG 2000 User Manual page 905

of its Trusted Certificates to authenticate the remote IPSec router's
certificate. The trusted certificate can be the remote IPSec router's self-signed
certificate or that of a trusted CA that signed the remote IPSec router's
certificate.
• Multiple SAs connecting through a secure gateway must have the same
negotiation mode.
I cannot set up an L2TP VPN tunnel.
• Make sure you have configured L2TP correctly on the remote user computers.
See Section 8.5 on page 177
• Make sure you configured an appropriate policy route on the ZyWALL.
• Make sure there is not a firewall between the ZyWALL and the remote users.
• If it is possible that the remote user's public IP address could be in the same
subnet as the specified My Address, click Configure > Network > Routing >
Policy Route > Show Advanced Settings and select Use Policy Route to
Override Direct Route.
• Modifying the VPN connection or the VPN gateway that L2TP uses disconnects
any existing L2TP VPN sessions. Disconnect any existing L2TP VPN sessions
before modifying L2TP VPN settings. The remote users must make any needed
matching configuration changes and re-establish the sessions using the new
settings.
I cannot get my VPN concentrator configuration to work.
• Turn off policy enforcement in the member VPN connections.
• Make sure your firewall rules are not blocking the VPN packets.
• If the USG ZyWALLs' VPN tunnels are members of a single zone, make sure it is
not set to block intra-zone traffic.
The VPN connection is up but VPN traffic cannot be transmitted through the VPN
tunnel.
If you have the Configuration > VPN > IPSec VPN > VPN Connection
screen's Use Policy Route to control dynamic IPSec rules option enabled,
check the routing policies to see if they are sending traffic elsewhere instead of
through the VPN tunnels.
ZyWALL USG 2000 User's Guide
for examples.
Chapter 57 Troubleshooting
905