Filter
Top Products
Chapter 56 Troubleshooting
ZyWALL USG 1000 User’s Guide
878
• The ZyWALL and remote IPSec router must use the same active protocol.
• The ZyWALL and remote IPSec router must use the same encapsulation.
• The ZyWALL and remote IPSec router must use the same SPI.
• If the sites are/were previously connected using a leased line or ISDN router,
physically disconnect these devices from the network before testing your new
VPN connection. The old route may have been learnt by RIP and would take
priority over the new VPN connection.
• To test whether or not a tunnel is working, ping from a computer at one site to a
computer at the other.
Before doing so, ensure that both computers have Internet access (via the
IPSec routers).
• It is also helpful to have a way to look at the packets that are being sent and
received by the ZyWALL and remote IPSec router (for example, by using a
packet sniffer).
Check the configuration for the following ZyWALL features.
• The ZyWALL does not put IPSec SAs in the routing table. You must create a
policy route for each VPN tunnel. See Chapter 15 on page 347.
• Make sure the To-ZyWALL firewall rules allow IPSec VPN traffic to the ZyWALL.
IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
• The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you
enable this, make sure the To-ZyWALL firewall rules allow UDP port 4500 too.
• Make sure regular firewall rules allow traffic between the VPN tunnel and the
rest of the network. Regular firewall rules check packets the ZyWALL sends
before the ZyWALL encrypts them and check packets the ZyWALL receives after
the ZyWALL decrypts them. This depends on the zone to which you assign the
VPN tunnel and the zone from which and to which traffic may be routed.
• If you set up a VPN tunnel across the Internet, make sure your ISP supports AH
or ESP (whichever you are using).
• If you have the ZyWALL and remote IPSec router use certificates to authenticate
each other, You must set up the certificates for the ZyWALL and remote IPSec
router first and make sure they trust each other’s certificates. If the ZyWALL’s
certificate is self-signed, import it into the remote IPsec router. If it is signed by
a CA, make sure the remote IPsec router trusts that CA. The ZyWALL uses one
of its Trusted Certificates to authenticate the remote IPSec router’s
certificate. The trusted certificate can be the remote IPSec router’s self-signed
certificate or that of a trusted CA that signed the remote IPSec router’s
certificate.
• Multiple SAs connecting through a secure gateway must have the same
negotiation mode.
I cannot set up an L2TP VPN tunnel.