<div dir="ltr">Louis,<div><br></div><div>We have a variety of ZyXEL USG devices, from the 20W up to the 300, running client and site-to-site VPNs. The firmware is basically the same, and there are no differences in VPN capabilities. Could you post or send the most relevant portions of your USG configuration, obscuring the private details? For example, the following is one of our working configurations on a 20W:</div>
<div><br><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
isakmp policy VPN_Client_Gateway</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> activate</blockquote>
</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> local-ip interface wan1</blockquote></div><div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> peer-ip 0.0.0.0 0.0.0.0</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
 authentication pre-share</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> encrypted-keystring *********************</blockquote>
</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> local-id type ip ***.***.***.***</blockquote></div>
<div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> peer-id type any</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
 fall-back-check-interval 300</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> lifetime 86400</blockquote>
</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> mode main</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
 group2</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> transform-set aes128-sha</blockquote>
</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> xauth type server default</blockquote></div><div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">!</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
crypto map VPN_Client_Connection</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> adjust-mss auto</blockquote>
</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> activate</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
 netbios-broadcast</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> ipsec-isakmp VPN_Client_Gateway</blockquote>
</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> scenario remote-access-server</blockquote></div>
<div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> encapsulation tunnel</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
 transform-set esp-aes128-sha</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> set security-association lifetime seconds 28800</blockquote>
</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> set pfs group2</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
 local-policy BRIDGE_BR1</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> remote-policy any</blockquote>
</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> no conn-check activate</blockquote></div></blockquote>
</div><div><div><br></div><div class="gmail_extra">The settings for the Shrew client are easy to match, so I won't copy those for the time being. Please start by comparing what you have to these working settings.</div>
<div class="gmail_extra"><br clear="all"><div><div dir="ltr"><hr style="color:rgb(105,105,105)"><p style="color:rgb(105,105,105)"><b>David Liddle</b></p><p style="color:rgb(105,105,105)"><b>IT Support Specialist</b><br>Wycliffe Global Alliance - Europe Area</p>
<p style="color:rgb(105,105,105)"><a href="mailto:david_liddle@wycliffe.net" style="color:rgb(17,85,204)" target="_blank">david_liddle@wycliffe.net</a><br></p><p style="color:rgb(105,105,105)"><br></p></div></div><br><div class="gmail_quote">
On Thu, May 29, 2014 at 8:17 AM,  <span dir="ltr"><<a href="mailto:vpn-help-request@lists.shrew.net" target="_blank">vpn-help-request@lists.shrew.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Send vpn-help mailing list submissions to<br>
        <a href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
        <a href="https://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">https://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
or, via email, send a message with subject or body 'help' to<br>
        <a href="mailto:vpn-help-request@lists.shrew.net">vpn-help-request@lists.shrew.net</a><br>
<br>
You can reach the person managing the list at<br>
        <a href="mailto:vpn-help-owner@lists.shrew.net">vpn-help-owner@lists.shrew.net</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of vpn-help digest..."<br>
<br>Today's Topics:<br>
<br>
   1. VPN help with ZyXel USG20W (Louis Au)<br>
<br><br>---------- Forwarded message ----------<br>From: Louis Au <<a href="mailto:lau07@ymail.com">lau07@ymail.com</a>><br>To: "<a href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a>" <<a href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a>><br>
Cc: <br>Date: Wed, 14 May 2014 16:14:10 -0700 (PDT)<br>Subject: [vpn-help] VPN help with ZyXel USG20W<br><div><div style="color:rgb(0,0,0);font-family:HelveticaNeue,'Helvetica Neue',Helvetica,Arial,'Lucida Grande',sans-serif;font-size:10pt;background-color:rgb(255,255,255)">
<div>Hi,</div>
<div> </div>
<div>I just wondering if anyone has any experience to get Shrew VPN client working with ZyXel USG20W.  I notice that there is another post for ZyXel USG already.  I had followed the instructions step-by-step very carefully, however I get an error that said "Invalid message from gateway".  The only different I can tell is that my ZyXel is model USG20W, but the one posted is USG300.  The screen look identical. So, it must be something specific about this USG20W.  I tried to use other VPN client too, and I got the same error, it seems like ZyXel send back some invalid command back during the phase 2 authication process.</div>

<div> </div>
<div>I have attached the screenshoot from the ZyXel log file and the Shrew VPN client screen.  Any help is appreicated.</div>
<div> </div>
<div><font color="#800000" size="1"><font color="#800000" size="1"><font color="#000000">Thanks,</font></font></font></div>
<div><font color="#800000" size="1"><font color="#800000" size="1"><font color="#000000">Louis</font></font></font></div>
<div><font color="#800000" size="1"><font color="#800000" size="1"><font color="#000000"></font></font></font> </div>
<div><font color="#800000" size="1"><font color="#800000" size="1"><font color="#000000"><a href="mailto:lau07@ymail.com" target="_blank">lau07@ymail.com</a></font></font></font></div>
<div><font color="#800000" size="1"><font color="#800000" size="1"><font color="#000000"></font> </font></font></div></div></div><br>_______________________________________________<br>
vpn-help mailing list<br>
<a href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><br>
<a href="https://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">https://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
<br></blockquote></div><br></div></div></div>