I would like to connect 2 VPN50 to 1 VPN100 using a site-to-site connection.
VPN50_100_User
Posts: 4
in Security
Hello everyone,
I have a question about the Site-To-Site VPN connection with multiple Zyxel Zywalls.
I would like to connect 2 VPN50 to 1 VPN100 using a site-to-site connection.
Can someone show me a configuration example. My problem is that 1 VPN 50 works fine with the VPN100, but with the second VPN50 I always get a dial time out error.
Thank you very much in advance for your help.
0
Accepted Solution
-
1
Guru Member
All Replies
-
1 gateway and 1 tunnel for every VPN50 on VPN100.Also, on VPN50 tunnel should be nailed up, on VPN100 not.Do not overlap subnets among sites. Or manage it correctly (NAT)0
-
@VPN50_100_UserIf you want two VPN50 connect to VPN100, you need to create two VPN profiles on VPN100 for this scenario.Also, you can set different Proposal or Pre-shared key to avoid rule mismatch.Be aware that just mMontana mentioned do not overlap subnets among sites.If the VPN still down, you can go to Monitor>Log> Select IKE on category field to understand which phase failed.0
-
Thank you kindly for the answers.I'm afraid there might be an address problem. I used the following addresses:VPN100 - VPN Connection 1: Local Policy: LAN1_SUBNET INTERFACE SUBNET, 10.168.0.0/19Remote Policy: VPN50-1 SUBNET, 10.168.166.0/24VPN100 - VPN Connection 2: Local Policy: LAN1_SUBNET INTERFACE SUBNET, 10.168.0.0/19Remote Policy: VPN50-2 SUBNET, 10.168.133.0/24VPN50-1 - VPN Connection: Local Policy: LAN1_SUBNET INTERFACE SUBNET, 10.168.166.0/24Remote Policy: VPN100 SUBNET, 10.168.0.0/19VPN50-2 - VPN Connection: LAN1_SUBNET INTERFACE SUBNET, 10.168.133.0/24Remote Policy: VPN100 SUBNET, 10.168.0.0/19Is the addressing given above correct?The LOG entries from the VPN100 are:IKE - The cookie pair is : 0x45a07b4db5077d02 / 0xf1814d0662645e68IKE - [info] Send:IKE - The cookie pair is : 0xf1814d0662645e68 / 0x45a07b4db5077d02IKE - [info] Recv:Security Policy Control - Match default rule, DROP
somebody knows what i'm doing wrong?0 -
These LOG entries are repeated a few times and then there are the following entries:IKE - [INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID]IKE - [AUTH] Recv:[IDi][CERTREQ][AUTH][SA][TSi][TSr][NOTIFY][NOTIFY][NOTIFY][NOTIFY]IKE - [ID] : Tunnel [IKEv2_Tunnel_Site_to_Site_IHL] Phase 2 Remote policy mismatchIKE - [SA] : No proposal chosenIKE - IPsec SA negotiation failed0
-
1
-
Thank you very much for your help.The link was very helpful. I had a typo in the dns entry in the VPN100. Now everything works fine.Thanks again for your help0
-
Thanks for the helpful post ... Please share this post on ( https://gbplusmod.com/ ) ..Here a lot of people are askimg me the same...-1
-
If your carrier allows it, you can view your APN settings in one of the following locations: Settings > Cellular > Cellular Data Options > Cellular Network. Settings > Mobile Data > Mobile Data Options > Mobile Data Network-1
Zyxel Employee
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 164 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 364 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 262 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight
