![Zyxel USG 60 [219/327] What could go wrong](/img/pdf.png)
Zyxel USG 60 [219/327] What could go wrong
![Zyxel USG 60 [219/327] What could go wrong](/views2/1169223/page219/bgdb.png)
Chapter 4 Create Site-to-Site VPN Tunnels
ZyWALL/USG Series Handbook
219
Figure 461 Spoke_Branch_B > MONITOR > VPN Monitor > IPSec
4.9.8 What Could Go Wrong?
1 If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings.
All ZyWALL/USG units must use the same Pre-Shared Key, Encryption, Authentication method, DH
key group and ID Type to establish the IKE SA.
Figure 462 MONITOR > Log
2 If you see that Phase 1 IKE SA process done but still get [info] log message as below, please check
ZyWALL/USG Phase 2 Settings. All ZyWALL/USG units must use the same Protocol, Encapsulation,
Encryption, Authentication method and PFS to establish the IKE SA.
Figure 463 MONITOR > Log
3 Make sure the all ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port
500, AH uses IP protocol 51, and ESP uses IP protocol 50.
4 By default, NAT traversal is enabled on ZyWALL/USG, so please make sure the remote IPSec device
also has NAT traversal enabled.
Содержание
- Handbook 1
- Quick start guide 1
- Security firewalls 1
- Usg40 usg40w usg60 usg60w usg110 usg210 usg310 usg1100 usg1900 1
- Zywall 110 310 1100 1
- Zywall usg series 1
- Note ip addresses port numbers and object names are just examples used in these tutorials so you must replace them with the corresponding information from your own network environment when implementing a tutorial 2
- Note it is recommended you use the web configurator to configure the zywall usg 2
- Related information 2
- Zywall usg 2
- Chapter 1 set up your network 0 3
- Chapter 2 set up wifi 5 3
- Chapter 3 protect your network with utm 9 4
- Chapter 4 create site to site vpn tunnels 113 5
- Chapter 5 create client to site vpn tunnels 20 7
- Chapter 6 configure ipv6 87 8
- Chapter 7 manage your network traffic 00 8
- Chapter 8 maintain your device 20 9
- How to get started using the wizards 10
- Set up your network 10
- Set up the internet access ethernet wizard on the zywall usg 11
- Set up the internet access pppoe wizard on the zywall usg 15
- Set up the internet access pptp wizard on the zywall usg 19
- Set up the wireless settings wizard on the zywall usg 23
- Set up the device registration on the zywall usg 24
- All network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 26
- How to configure the 3g lte interface on the zywall usg as a wan backup 26
- Note this example includes weighted load balancing weighted round robin so that most of your internet traffic is handled by isp connected to wan1 before it fails over to 3g lte 26
- Set up the 3g lte interface on the zywall usg 26
- Set up the trunk on the zywall usg 27
- Test the result 28
- What could go wrong 28
- How to let a server use the same public ip address as the wan interface using the bridge interface 29
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 29
- Set up the bridge interface on the zywall usg 30
- Test the result 31
- What could go wrong 31
- How to allow public access to a server behind zywall usg 32
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 32
- Set up the nat on the zywall usg 33
- Set up the security policy on the zywall usg 33
- Note the default setting of security policy is without log notification except policydefault if you want to check which policy may potentially block the traffic please select this policy and set the log matched traffic to be log or log alert 34
- Test the result 34
- What could go wrong 34
- How to set up a wifi network with zyxel aps 35
- Set up the ap management on the zywall usg 35
- Set up wifi 35
- Note the aps may take few minutes to appear in the ap list 36
- Test the result 37
- What could go wrong 37
- How to set up guest wifi network accounts 38
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 38
- Set up the wifi guest account address range and service rule on the zywall usg 38
- Set up the security policy on the zywall usg 40
- Set up the web authentication on the zywall usg 40
- Test the result 41
- How to set up wifi networks with microsoft active directory authentication 43
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 43
- Note the default setting of security policy is without log notification except policydefault if you want to check which policy may potentially block the traffic please select this policy and set the log matched traffic to be log or log alert 43
- What could go wrong 43
- Set up the wi fi guest account and authentication method on the zywall usg 44
- Set up the active directory server account on the zywall usg 45
- Set up the security policy on the zywall usg 46
- Test the result 46
- Note the default setting of security policy is without log notification except policydefault if you want to check which policy may potentially block the traffic please select this policy and set the log matched traffic to be log or log alert 48
- What could go wrong 48
- How to register your device and services at myzyxel com 49
- Protect your network with utm 49
- Account creation 50
- Note the business account can be changed into a channel partner account by an administrator with a channel partner account you can register multiple devices and or services at a time and check service status reports contact your sales representative to have a channel partner account 51
- Device registration 52
- Service registration in the case of standard license 52
- Device management in the case of registering bundled licenses 53
- Refresh service 54
- What could go wrong 54
- How to schedule youtube access 55
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 55
- Set up the schedule on the zywall usg 55
- Create the application objects on the zywall usg 56
- Set up the application patrol profile on the zywall usg 56
- Set up ssl inspection on the zywall usg 57
- Set up the security policy on the zywall usg 57
- Default p12 58
- Export certificate from zywall usg and import it to windows 7 operation system 58
- Note each zywall usg device has its own self signed certificate by factory default when you reset to the default configuration file the original self signed certificate is erased and a new self signed certificate will be created when the zywall usg boots the next time 60
- Test the result 61
- What could go wrong 61
- How to exempt specific users from security control 62
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 62
- Set up the security policy on the zywall usg for employees 62
- Set up the security policy on the zywall usg for executives 64
- Set up the web authentication on the zywall usg 65
- Test the result 66
- What could go wrong 66
- How to detect and prevent tcp port scanning with adp 67
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 67
- Set up the adp profile on the zywall usg 68
- Test the result 70
- What could go wrong 71
- How to block facebook 72
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 72
- Set up the content filter on the zywall usg 72
- Set up the security policy on the zywall usg 73
- Set up the ssl inspection on the zywall usg 73
- Default p12 74
- Export certificate from zywall usg and import it to windows 7 operation system 74
- Note each zywall usg device has its own self signed certificate by factory default when you reset to default configuration file the original self signed certificate is erased and a new self signed certificate will be created when the zywall usg boots the next time 76
- Test the result 77
- What could go wrong 77
- How to exempt specific users from a blocked website 78
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 78
- Set up the security policy on the zywall usg for employees 79
- Add address rule 80
- Set up the security policy on the zywall usg for executives 80
- Set up the web authentication on the zywall usg 81
- Test the result 82
- What could go wrong 82
- How to control access to google drive 83
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 83
- Set up the application patrol on the zywall usg 83
- Set up the ssl inspection on the zywall usg 85
- Export certificate from zywall usg and import it to windows 7 operation system 86
- Set up the security policy on the zywall usg 86
- Default p12 87
- Note each zywall usg device has its own self signed certificate by factory default when you reset to default configuration file the original self signed certificate is erased and a new self signed certificate will be created when the zywall usg boots the next time 89
- Test the result 90
- What could go wrong 90
- How to block https websites using content filtering and ssl inspection 91
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 91
- Set up the content filter on the zywall usg 91
- Set up ssl inspection on the zywall usg 92
- Export certificate from zywall usg and import it to windows 7 operation system 93
- Set up the security policy on the zywall usg 93
- Default p12 94
- Note each zywall usg device has its own self signed certificate by factory default when you reset to default configuration file the original self signed certificate is erased and a new self signed certificate will be created when the zywall usg boots the next time 96
- Test the result 97
- What could go wrong 97
- How to block the spotify music streaming service 98
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 98
- Set up idp profile on the zywall usg 98
- Test the result 99
- How to test the eicar anti virus test file 100
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 100
- What could go wrong 100
- Set up the anti virus profile on the zywall usg 101
- Set up the security policy on the zywall usg 101
- Test the result 102
- What could go wrong 102
- How to block downloading of doc pdf xls and zip files 103
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 103
- Set up the anti virus profile on the zywall usg 104
- Set up the security policy on the zywall usg 105
- Test the result 106
- How to configure an anti spam policy with mail scan and dnsbl 107
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 107
- What could go wrong 107
- Set up the anti spam profile on the zywall usg 108
- Set up the security policy on the zywall usg 110
- Test the result 111
- What could go wrong 112
- Create site to site vpn tunnels 113
- How to configure site to site ipsec vpn where the peer has a static ip address 113
- Set up the zywall usg ipsec vpn tunnel of corporate network hq 113
- Set up the zywall usg ipsec vpn tunnel of corporate network branch 116
- Test the ipsec vpn tunnel 118
- What could go wrong 119
- How to configure site to site ipsec vpn where the peer has a dynamic ip address 120
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 120
- Set up the zywall usg ipsec vpn tunnel of corporate network hq 120
- Set up the zywall usg ipsec vpn tunnel of corporate network branch has a dynamic ip address 123
- Test the ipsec vpn tunnel 125
- What could go wrong 126
- How to configure site to site ipsec vpn with fortigate 127
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 and fortigate 100d firmware version forti os 5 127
- Set up the ipsec vpn tunnel on the zywall usg 127
- Set up the ipsec vpn tunnel on the fortigate 130
- Test the ipsec vpn tunnel 132
- What could go wrong 133
- How to configure site to site ipsec vpn with cisco 134
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 and isa500 firmware version 1 134
- Set up the ipsec vpn tunnel on the zywall usg 134
- Set up the ipsec vpn tunnel on the cisco 139
- Test the ipsec vpn tunnel 142
- How to configure site to site ipsec vpn with watchguard 144
- What could go wrong 144
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 and watchguard xtm 515 firmware version 11 0 145
- Set up the ipsec vpn tunnel on the zywall usg 145
- Set up the ipsec vpn tunnel on the watchguard 148
- Test the ipsec vpn tunnel 152
- What could go wrong 153
- How to configure site to site ipsec vpn with a sonicwall router 154
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 and nsa240 firmware version sonicos enhanced 5 31o 154
- Set up the ipsec vpn tunnel on the zywall usg 154
- Note the phase 1 and phase 2 settings established here must match the phase 1 and phase 2 settings configured later in the sonicwall 158
- Set up the ipsec vpn tunnel on the sonicwall 160
- Test the ipsec vpn tunnel 162
- What could go wrong 164
- How to configure site to site ipsec vpn with microsoft ms azure 165
- Note 1 all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg40 firmware version zld 4 3 and ms azure april 2016 165
- Set up the ipsec vpn tunnel on the zywall usg 165
- Note for more information about the ipsec parameters supported in ms azure see the microsoft azure documentation about vpn devices for site to site vpn gateway connections 167
- Note for more information about the ipsec parameters supported in ms azure see the microsoft azure documentation about vpn devices for site to site vpn gateway connections 168
- Set up the ipsec vpn tunnel on the ms azure 171
- Create public ip address 174
- Test the ipsec vpn tunnel 177
- What could go wrong 178
- How to set up hub and spoke ipsec vpn 179
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 179
- Hub_hq to branch_a 180
- Set up the ipsec vpn tunnel on the zywall usg by using vpn concentrator 180
- Hub_hq to branch_b 182
- Hub_hq concentrator 184
- Spoke_branch_a 184
- Spoke_branch_b 188
- Test the ipsec vpn tunnel 191
- What could go wrong 193
- Hub_hq to branch_a 194
- Set up the ipsec vpn tunnel of zywall usg without using vpn concentrator 194
- Hub_hq to branch_b 196
- Spoke_branch_a 198
- Spoke_branch_b 200
- Test the ipsec vpn tunnel 202
- What could go wrong 204
- How to use dual wan to perform fail over on vpn using the vpn concentrator 205
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 205
- Hub_hq to branch_a 206
- Set up the ipsec vpn tunnel on the zywall usg 206
- Hub_hq to branch_b 208
- Hub_hq concentrator 210
- Spoke_branch_a 211
- Spoke_branch_b 214
- Test the ipsec vpn tunnel 217
- What could go wrong 219
- Create client to site vpn tunnels 220
- How to configure ipsec vpn with zywall ipsec vpn client 220
- Set up the zywall usg ipsec vpn tunnel 221
- Set up the zywall ipsec vpn client 223
- Test the ipsec vpn tunnel 225
- What could go wrong 226
- How to configure l2tp vpn with android 5 mobile devices 228
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version 4 3 and android version firmware version 5 228
- Set up the l2tp vpn tunnel on the zywall usg 228
- Set up the l2tp vpn tunnel on the android device 232
- Test the l2tp vpn tunnel 234
- What could go wrong 235
- How to configure l2tp vpn with ios 8 mobile devices 236
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version 4 3 and ios firmware version 8 236
- Set up the l2tp vpn tunnel on the zywall usg 236
- Set up the l2tp vpn tunnel on the ios device 241
- Test the l2tp vpn tunnel 242
- What could go wrong 243
- How to import zywall usg certificate for l2tp over ipsec in windows 10 244
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version 4 3 and windows 10 pro version 10 0240 244
- Set up the l2tp vpn tunnel on the zywall usg 245
- Export a certificate from zywall usg and import it to windows 10 operating system 248
- Default p12 249
- Note each zywall usg device has its own self signed certificate by factory default when you reset to default configuration file the original self signed certificate is erased and a new self signed certificate will be created when the zywall usg boots the next time 251
- Set up the l2tp vpn tunnel on the windows 10 252
- Test the l2tp over ipsec vpn tunnel 254
- What could go wrong 255
- How to configure the l2tp vpn with apple mac os x 10 1 operating system 257
- Set up the l2tp vpn tunnel on the zywall usg 257
- Click the button at the bottom left of the connections to add a new connection 261
- Set up the l2tp vpn tunnel on the apple mac os x 10 1 el capitan operating system 261
- Test the l2tp vpn tunnel 263
- What could go wrong 264
- How to deploy ssl vpn with apple mac os x 10 0 operating system 265
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg110 firmware version zld 4 3 and apple mac version os x10 0 yosemite 265
- Set up the ssl vpn tunnel on the zywall usg 266
- Set up the ssl vpn tunnel on the apple mac os x 10 0 operating system 269
- Test the ssl vpn tunnel 271
- What could go wrong 273
- How to deploy ssl vpn with windows 10 operating system 274
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using zywall110 firmware version zld 4 3 and windows 10 pro version 10 0240 274
- Set up the ssl vpn tunnel on the zywall usg 274
- Set up the ssl vpn tunnel on the windows 10 operating system 277
- Test the ssl vpn tunnel 280
- What could go wrong 281
- How to configure ssl vpn for remote access mobile devices 282
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg1900 firmware version zld 4 3 282
- Set up the ssl vpn tunnel on the zywall usg 282
- Test the ssl vpn tunnel 284
- What could go wrong 286
- Configure ipv6 287
- Enable the ipv6 on the zywall usg 287
- How to set up ipv6 interfaces for pure ipv6 routing 287
- Note your isp or uplink router should enable router advertisement 288
- Set up the wan ipv6 interface on the zywall usg 288
- Set up the lan ipv6 interface on the zywall usg 289
- Test the result 289
- What could go wrong 290
- How to set up an ipv6 6to4 tunnel 291
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 291
- Set up the lan ipv6 interface on the zywall usg 291
- Set up the 6to4 tunnel on the zywall usg 293
- Test the result 293
- What could go wrong 294
- How to set up an ipv6 in ipv4 tunnel 295
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 295
- Set up the lan ipv6 interface on the zywall usg 295
- Set up the 6to4 tunnel on the zywall usg 297
- Set up the policy route on the zywall usg 298
- Test the result 298
- What could go wrong 299
- How to configure bandwidth management for ftp and http traffic 300
- Manage your network traffic 300
- Note in bandwidth management the highest priority is 1 and the lowest priority is 7 301
- Note in bandwidth management the highest priority is 1 the lowest priority is 7 302
- Set up the bandwidth management for http on the zywall usg 302
- Set up the bandwidth management global setting on the zywall usg 303
- Test the result 303
- How to limit bittorrent or other peer to peer traffic 304
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks the total available bandwidth assumption is 1 600 kbps this example was tested using usg310 firmware version zld 4 3 304
- Set up the application patrol profile on the zywall usg 304
- What could go wrong 304
- Note in bandwidth management the highest priority is 1 the lowest priority is 7 306
- Set up the bandwidth management for bittorrent on the zywall usg 306
- Set up the bandwidth management global setting on the zywall usg 307
- Test the result 307
- What could go wrong 307
- How to configure a trunk for wan load balancing with a static or dynamic ip address 308
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 308
- Set up the available bandwidth on wan1 interfaces on the zywall usg 309
- Set up the available bandwidth on wan2 interfaces on the zywall usg 310
- Set up the wan trunk on the zywall usg 310
- Test the result 311
- How to configure dns inbound load balancing to balance dns queries among interfaces 312
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 312
- What could go wrong 312
- Set up the nat rule on the zywall usg 314
- Test the result 314
- How to manage voice traffic 315
- Note all network ip addresses and subnet masks are used as examples in this article please replace them with your actual network ip addresses and subnet masks this example was tested using usg310 firmware version zld 4 3 315
- What could go wrong 315
- Note if you are using a custom or additional udp port number not 5060 for sip traffic use the add icon to add sip signaling port numbers 316
- Set up the bandwidth management for sip on the zywall usg 316
- Set up the sip alg on the zywall usg 316
- Note in bandwidth shaping the highest priority is 1 the lowest priority is 7 317
- Set up the bandwidth management for p2p on the zywall usg 317
- Note in bandwidth shaping the highest priority is 1 the lowest priority is 7 318
- Set up the bandwidth management for ftp on the zywall usg 318
- Test the result 319
- What could go wrong 319
- How to manage zywall usg configuration files 320
- Maintain your device 320
- Download the configuration files on the zywall usg 321
- Rename the configuration files from the zywall usg 321
- Apply the configuration files on the zywall usg 322
- Copy the configuration files on the zywall usg 322
- Note do not shut down the zywall usg while the configuration file is being applied 323
- Upload the configuration files from the zywall usg 323
- What could go wrong 323
- Download the current firmware version from zyxel com 324
- How to manage zywall usg firmware 324
- Note the firmware update can take up to five minutes do not turn off or reset the zywall usg while the firmware update is in progress this example was using usg110 firmware version zld 4 5 324
- Upload the firmware on the zywall usg 325
- What could go wrong 327
Похожие устройства
- Zyxel USG 60 Справочник командного интерфейса
- HP 255, j0y55ea Инструкция по эксплуатации
- HP 255, j4r77ea Инструкция по эксплуатации
- Zyxel USG 60W Инструкция по эксплуатации
- HP 255, k3x25ea Инструкция по эксплуатации
- HP 255, k3x39ea Инструкция по эксплуатации
- HP 255, k7h91es Инструкция по эксплуатации
- HP 255, k7j33es Инструкция по эксплуатации
- Zyxel USG 60W Рекомендации по настройке
- Zyxel USG 60W Справочник командного интерфейса
- Zyxel USG 60W Технические характеристики
- HP pavilion x2 10-k002nr 32gb + клавиатура Инструкция по эксплуатации
- HP 250, j4t82es Инструкция по эксплуатации
- HP 250, k9l19es Инструкция по эксплуатации
- HP pavilion 17-f160nr, k7a10ea Инструкция по эксплуатации
- HP 250, j0x69ea Инструкция по эксплуатации
- HP 250, j4t60ea Инструкция по эксплуатации
- HP 250, g6v86ea Инструкция по эксплуатации
- HP probook 350, f7y63ea Инструкция по эксплуатации
- HP probook 350, f7y64ea Инструкция по эксплуатации