Configuring a Site-to-Site IPSec Tunnel to Zyxel USG

Configuring a Site-to-Site IPSec Tunnel to Zyxel USG 

In order to establish a Site-To-Site IPSec VPN connection between Zyxel USG and Perimeter 81 network, please follow the steps below:

Configure an IPSec Tunnel at the Perimeter 81 Management Portal

1. Go to the Gateway in your network from which you want to create the tunnel to Zyxel USG.

2. Select the three-dotted menu (...) and select Add Tunnel.

3. Select IPSec Site-2-Site Tunnel and select Continue.

General Settings

Enter the General settings:

Name: Set the name for the Tunnel.

Shared Secret: Enter the same Shared secret you set in Zyxel USG.

Public IP and Remote ID: Enter the Zyxel USG VPN Gateway Public IP address.

In Perimeter 81 Gateway Proposal Subnets, select Any or Specific Subnet.

In Remote Gateway Proposal Subnets enter the Zyxel USG subnet/s.

Advanced Settings

1. Enter the Advanced settings:

  • IKE Version - V1

  • IKE Lifetime - 8h

  • Tunnel Lifetime - 1h

  • Dead Peer Detection Delay - 10s

  • Dead Peer Detection Timeout - 30s

  • Encryption (Phase 1) - aes256

  • Encryption (Phase 2) - aes256
  • Integrity (Phase 1) - sha1
  • Integrity (Phase 2) - sha1
  • Deffie-Hellman Groups (Phase 1) - 2
  • Deffie-Hellman Groups (Phase 1) - 2

2. Select Add Tunnel.

Configure at the Zyxel USG Interface

 1. Go to the ZyXel USG interface and add a VPN Gateway. (Configuration > VPN > IPSec VPN > VPN Gateway > Add)

2. Enter the name of the VPN Gateway (Perimeter 81 for example).

3. Choose the outgoing interface in “My Address” (i.e. WAN1 or your WAN Interface).

4. Configure the Peer Gateway Address according to the gateway IP inside Perimeter 81.


5. Enter the preshared key you generated on Perimeter 81.

6. Set Phase 1 proposals as you set up on Perimeter 81 (for example, AES256 as encryption, SHA256 as authentication and DH14 as a key group).

SA Tunnel lifetime = IKE Lifetime on P81.

7. Add a VPN tunnel (Configuration > VPN > IPSec VPN > VPN Connection > Add).

8. Enable and name the rule.

9. Select Site-to-Site and select the created VPN gateway.

10. Set the local policy to your LAN subnet and remote policy to your P81 subnet.


NOTE: Eventually, you need to create an address object for the remote network.

11. Select Create new Object and choose IPv4 Address.

NOTE: Please check first if the IP address of the remote subnet does not already exist on the local subnet to avoid double IP address configuration. When the remote subnet is similar to one local subnet you will only be able to reach the local network.

12. Select Show Advanced Settings and make sure that the Phase 2 settings are the same as the Phase 1 settings (i.e. AES256, SHA256).




0 out of 0 found this helpful



Please sign in to leave a comment.