Zyxel USG
  • 29 Apr 2024
  • 2 Minutes to read
  • Contributors

    Zyxel USG


      Article summary

      Introduction

      This guide will walk you through the process of setting up a Site-to-Site VPN tunnel between your Harmony SASE network and your ZyXEL USG environment.

      Breakdown of topics

      1. Pre-requisites
      2. Configuration Steps
      3. Verifying the Setup
      4. Troubleshooting
      5. Support Contacts

      Pre-requisites

      To successfully follow this guide, ensure that:

      1. Possess an active Harmony SASE account and network.
      2. Have the Harmony SASE application installed on your devices.
      3. Maintain an active ZyXEL USG account with the necessary administrative permissions.

      Configuration Steps

      1. Go to the Gateway in your network from which you want to create the tunnel to the Zyxel Firewall.
      2. Select the three-dotted menu (...) and select Add Tunnel
      3. Select IPSec Site-2-Site Tunnel and select Continue.
      4. Select Single Tunnel, and Click Continue.
      5. Under General Settings, enter the following:
        • Name - Set the name for the Tunnel.
        • Shared Secret - Put a shared secret or select Generate.
        • Public IP and Remote ID - Input your Zyxel Firewall Public WAN IP address.
        • In Harmony SASE Gateway Proposal Subnets Choose your Harmony SASE Network Subnet (By default: 10.255.0.0/16, in this screenshot: 10.254.0.0/16).
        • In Remote Gateway Proposal Subnets, input your internal LAN subnet.
        • At the Advanced Settings section complete the following information:
          • IKE: IKE Version 2
            IKE Version
            Only select IKEv2 if your Firewall version supports it. Otherwise, select IKEv1.
          • IKE Lifetime: 8h
          • Tunnel Lifetime: 1h
          • Dead Peer Detection Delay: 10s
          • Dead Peer Detection Timeout: 30s
          • Encryption (Phase 1): aes256
          • Encryption (Phase 2): aes256
          • Integrity (Phase 1): sha256
          • Integrity (Phase 2): sha256
          • Diffie Hellman Groups (Phase 1): 14
          • Diffie Hellman Groups (Phase 2): 14
      6. Select Add Tunnel.

      Configuring in the Zyxel USG Interface

      1. Go to the ZyXel USG interface and add a VPN Gateway. (Configuration > VPN > IPSec VPN > VPN Gateway > Add).360010234799image-4.png
      2. Enter the name of the VPN Gateway (Harmony SASE for example).
      3. Choose the outgoing interface in “My Address” (i.e. WAN1 or your WAN Interface).
      4. Configure the Peer Gateway Address according to the gateway IP inside Harmony SASE.
      5. Enter the preshared key you generated on Harmony SASE.
      6. Set Phase 1 proposals as you set up on Harmony SASE (for example, AES256 as encryption, SHA256 as authentication, and DH14 as a key group).
        360010234819image-6.png
        • SA Tunnel lifetime = IKE Lifetime on P81.
      7. Add a VPN tunnel (Configuration > VPN > IPSec VPN > VPN Connection > Add).
      8. Enable and name the rule.
      9. Select Site-to-Site and select the created VPN gateway.
      10. Set the local policy to your LAN subnet and the remote policy to your P81 subnet
        • NOTE: Eventually, you need to create an address object for the remote network.
      11. Select Create new Object and choose IPv4 Address.
        • NOTE: Please check first if the IP address of the remote subnet does not already exist on the local subnet to avoid a double IP address configuration. When the remote subnet is similar to one local subnet you will only be able to reach the local network.
      12. Select Show Advanced Settings and make sure that the Phase 2 settings are the same as the Phase 1 settings (i.e. AES256, SHA256).

        Verifying the Setup

        After following the above steps, your tunnel should be active.
        To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.
        It should indicate that the tunnel is "Up", signifying a successful connection.
        Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.

        Troubleshooting

        If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

        Support Contacts

        If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success


      Was this article helpful?

      What's Next