Chapter 50 Troubleshooting
ZyWALL USG Series User’s Guide
1033
route. This causes the Zyxel Device to reset the connection, as the connection has not been
acknowledged.
You can set the Zyxel Device’s security policy to permit the use of asymmetrical route topology on the
network (so it does not reset the connection) although this is not recommended since allowing
asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the
Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup
gateway on separate subnets. See
Asymmetrical Routes on page 575
and the chapter about interfaces
for more information.
I cannot set up an IPSec VPN tunnel to another device.
If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec
routers. Log into both Zyxel IPSec routers and check the settings in each field methodically and slowly.
Make sure both the Zyxel Device and remote IPSec router have the same security settings for the VPN
tunnel. It may help to display the settings for both routers side-by-side.
Here are some general suggestions. See also
• The system log can often help to identify a configuration problem.
• If you enable NAT traversal, the remote IPSec device must also have NAT traversal enabled.
• The Zyxel Device and remote IPSec router must use the same authentication method to establish the
IKE SA.
• Both routers must use the same negotiation mode.
• Both routers must use the same encryption algorithm, authentication algorithm, and DH key group.
• When using pre-shared keys, the Zyxel Device and the remote IPSec router must use the same pre-
shared key.
• The Zyxel Device’s local and peer ID type and content must match the remote IPSec router’s peer
and local ID type and content, respectively.
• The Zyxel Device and remote IPSec router must use the same active protocol.
• The Zyxel Device and remote IPSec router must use the same encapsulation.
• The Zyxel Device and remote IPSec router must use the same SPI.
• If the sites are/were previously connected using a leased line or ISDN router, physically disconnect
these devices from the network before testing your new VPN connection. The old route may have
been learned by RIP and would take priority over the new VPN connection.
• To test whether or not a tunnel is working, ping from a computer at one site to a computer at the
other.
Before doing so, ensure that both computers have Internet access (via the IPSec routers).
• It is also helpful to have a way to look at the packets that are being sent and received by the Zyxel
Device and remote IPSec router (for example, by using a packet sniffer).
Check the configuration for the following Zyxel Device features.
• The Zyxel Device does not put IPSec SAs in the routing table. You must create a policy route for each
VPN tunnel. See
.
• Make sure the To-Zyxel Device security policies allow IPSec VPN traffic to the Zyxel Device. IKE uses
UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
Summary of Contents for USG110
Page 27: ...27 PART I User s Guide ...
Page 195: ...195 PART II Technical Reference ...
Page 309: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 309 ...
Page 313: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 313 ...
Page 358: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 358 ...
Page 373: ...Chapter 10 Interfaces ZyWALL USG Series User s Guide 373 ...