VPN100 : SSL VPN connection with Secuextender makes me crazy

LDC
LDC Posts: 3
First Comment
edited April 2021 in Security
Hi guys !
I used many Zywall Firewalls since a few years for my customers, most of them are USG series, but one of my customers had a VPN100 model. I need to set up a SSL VPN with this one, so I thought "ok no problem, I've done this many times with Zywall Firewall", but no luck this time...

I set up the SSL VPN in the "configuration/SSL VPN" menu, I named it, I created a "SSL_SUBNET", and a new user allowed to access the SSL VPN.
I add "https"  in the "Default_Allow_WAN_To_Zywall" service, and I add the name of my SSL VPN I just created in the "SSL_VPN" zone (weird it was not automatically added, I don't remember I had to modify this on my others Zywall's stuff.

On my computer I use Zywall Secuextender 4.0.3.0, it works well with all the SSL VPN I need to access, but not this time : I type the IP address, the login and password I created for the SSL VPN user and clic "connect". I have to confirm "connection untrusted", it seems to do nothing a few seconds, then I come back to the screen with my login information...

time + 0s : User *me* from http/https has logged in SSLVPN
time + 2s : User *me* from http/https is connecting SSL tunnel.
time + 12s : *me* has logged out SSLVPN.
time + 12s : *me* from http/https has logged out SSLVPN

On my computer, the SecuExtenderHelper.log said :

[ 2021/03/05 11:30:10 ][SecuExtender Helper] Request(102): REMOVE 1426172096/449122128 9 4294967295 4294967295
[ 2021/03/05 11:30:10 ][SecuExtender Helper] Remove Routing
[ 2021/03/05 11:30:10 ][SecuExtender Helper] Remove prioritize routing
[ 2021/03/05 11:30:10 ][SecuExtender Helper] Get netsh path = powershell
[ 2021/03/05 11:30:10 ][SecuExtender Helper] ia is null
[ 2021/03/05 11:30:10 ][SecuExtender Helper] Failed to read from client(2): 109, 0
[ 2021/03/05 11:30:10 ][SecuExtender Helper] Start to Disconnect pipe...
[ 2021/03/05 11:30:10 ][SecuExtender Helper] Shutting down a pipe connection instance...
[ 2021/03/05 11:30:10 ][SecuExtender Helper] ==============================

I checked and rechecked my setup, I created another user, I tried on 2 computers, I updated with the last firmware (V4.62(ABFV.0) - 2021-01-19 11:00:33), but no luck.

Do you have any guess about my problem ?

Thanks !









Comments

  • dpipro
    dpipro Posts: 64  ZCNE Certified
    First Anniversary ZCNE Switch Level 1 Certification - 2020 ZCNE Nebula Level 1 Certification - 2020 ZCNE Security Level 1 Certification - 2019
    edited March 2021
  • LDC
    LDC Posts: 3
    First Comment
    Thanks for the idea, I just tried, but the problem's still the same :-(
  • jasailafan
    jasailafan Posts: 191  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    What is the "Assign IP Pool" for SSL VPN clients?
    The SSL_Pool cannot conflict with any existing subnet LAN/DMZ even if they are not in use. 
    Besides, the default network extension local IP for SSL VPN is 192.168.200.1. SSL_Pool cannot be the same subnet as 192.168.200.1.  
  • LDC
    LDC Posts: 3
    First Comment
    Are you sure of that ? I set up many SSL VPN on Zywall firewalls, and it's seems that if I create a "192.168.XXX.0/24" subnet for the SSL pool and I assign it to the SSL VPN, the network extension local IP change itself for "192.168.XXX.1" ?
  • jasailafan
    jasailafan Posts: 191  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    VPN100 uses default configuration.
    lan1- 192.168.1.1
    lan2- 192.168.2.1
    dmz- 192.168.3.1

    ssl vpn setting
    Assign ip pool- 192.168.60.0/24
    default network extension local ip- 192.168.200.1



    secuextender 4.0.4.0 
    ssl vpn is connected successfully!

Security Highlight