Setting up site-to-site on Zyxel USG


Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

 

Configuring at the Zyxel USG Interface

1. Go to the ZyXel USG interface and add a VPN Gateway. (Configuration > VPN > IPSec VPN > VPN Gateway > Add)

01_Configuring_at_the_Zyxel_USG_Interface.png

2. Enter the name of the VPN Gateway (NordLayer for example)

3. Choose the outgoing interface in “My Address” (i.e. WAN1 or your WAN Interface)

4. Configure the Peer Gateway Address according to the gateway IP of your NordLayer dedicated server

02_Configuring_at_the_Zyxel_USG_Interface.png

5. Enter the pre-shared key you have generated (we will also need this value on our end)

6. Set Phase 1 proposals (AES256 as encryption, SHA256 as authentication, and DH14 as a key group)

03_Configuring_at_the_Zyxel_USG_Interface.png

SA Tunnel lifetime = IKE Lifetime on NordLayer.

7. Add a VPN tunnel (Configuration > VPN > IPSec VPN > VPN Connection > Add)

8. Enable and name the rule

9. Select Site-to-Site and select the created VPN gateway

10. Set the local policy to your LAN subnet and remote policy to your P81 subnet

04_Configuring_at_the_Zyxel_USG_Interface.png

NOTE: Eventually, you need to create an address object for the remote network.

11. Select Create new Object and choose IPv4 Address

NOTE: Please check first if the IP address of the remote subnet does not already exist on the local subnet to avoid double IP address configuration. When the remote subnet is similar to one local subnet you will only be able to reach the local network.

12. Select Show Advanced Settings and make sure that the Phase 2 settings are the same as the Phase 1 settings (i.e. AES256, SHA256)

 

Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via privnote.com

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Return to top