IPSec - Difference between USG Flex200 and 500

Options
nubira
nubira Posts: 14
First Anniversary Friend Collector First Comment
Hello Zyxel!

I tested a USG Flex200 firewall a couple of months ago. I was able to set up Site to Site IPSec VPN.
I am now working with a USG Felx500 firewall, I use the same settings as before but the VPN connection is not working. I see the following entries in the log:

[SA]: No proposal chosen [count = 11]
[SA]: Tunnel [ipsec_tun] Phase 2 proposal mismatch [count = 11]
The cookie pair is: 0x17f1b7f811048b03 / 0x4d5b3b5ddc4e9173 [count = 33]
Send: [HASH] [NOTIFY: NO_PROPOSAL_CHOSEN] [count = 9]

In phase 2, under the Proposal option, I only use the 3DES-MD5 setting. I have used this successfully before for the USG Flex200 firewall (the configuration of the remote site has not changed).

Can there be a difference between the USG Felx200 and 500? Maybe 3DES-MD5 algorithms are handled differently?

Thanks!


All Replies

  • PeterUK
    PeterUK Posts: 2,728  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2021
    Options
    Try with both ends with phase 1 and 2 at AES128 SHA1
  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Also, 3DES-MD5 is quite... unsecure....
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Options

    Hi @nubira,

     

    Can you check the Proposals and Key groups are same for the both site in Phase 1?

    Can you check the Proposals and Perfect Forward Secrecy are the same for the both site in Phase 2?

    If that doesn’t solve your problem, can you provide me remote access to USG FLEX200 and USG FLEX500 by private message?


  • nubira
    nubira Posts: 14
    First Anniversary Friend Collector First Comment
    Options
    Dear Community,

    I went back to the USG FELX200. The same configuration as on the 500, connects to the remote firewall without an error message in logs (I know 3des-md5 is not secure, but it is supported by the remote site).
    But the traffic is not working:

    As you can see, inbound traffic is zero. What could be the reason for this?

    1. Security Policiy?
    The relevant security policies look like this:


    2. Routing?
    I didn't add a route manually. It would be necessary?

    I still don’t understand it all because this configuration was still working in January (when I tested the Zyxel products). I just bought them and we can’t work with them.

    Thanks
  • nubira
    nubira Posts: 14
    First Anniversary Friend Collector First Comment
    Options
    Hello,

    I found the solution. New security rules were needed:


    When I set it up, the traffic started in the tunnel. Interestingly, there was no need for this in January.

    The point is, it works  :)

    Thanks

Security Highlight