I would like to connect 2 VPN50 to 1 VPN100 using a site-to-site connection.

Hello everyone,

I have a question about the Site-To-Site VPN connection with multiple Zyxel Zywalls.

I would like to connect 2 VPN50 to 1 VPN100 using a site-to-site connection.

Can someone show me a configuration example. My problem is that 1 VPN 50 works fine with the VPN100, but with the second VPN50 I always get a dial time out error.

Thank you very much in advance for your help.

Accepted Solution

All Replies

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited May 2021
    1 gateway and 1 tunnel for every VPN50 on VPN100.
    Also, on VPN50 tunnel should be nailed up, on VPN100 not.
    Do not overlap subnets among sites. Or manage it correctly (NAT)
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @VPN50_100_User

    If you want two VPN50 connect to VPN100, you need to create two VPN profiles on VPN100 for this scenario.
    Also, you can set different Proposal or Pre-shared key to avoid rule mismatch.
    Be aware that just mMontana mentioned do not overlap subnets among sites.
    If the VPN still down, you can go to Monitor>Log> Select IKE on category field to understand which phase failed.
  • Thank you kindly for the answers.

    I'm afraid there might be an address problem. I used the following addresses:

    VPN100 - VPN Connection 1: Local Policy:  LAN1_SUBNET INTERFACE SUBNET, 10.168.0.0/19
                               Remote Policy: VPN50-1     SUBNET, 10.168.166.0/24

    VPN100 - VPN Connection 2: Local Policy:  LAN1_SUBNET INTERFACE SUBNET, 10.168.0.0/19
                               Remote Policy: VPN50-2     SUBNET, 10.168.133.0/24

    VPN50-1 - VPN Connection: Local Policy:  LAN1_SUBNET INTERFACE SUBNET, 10.168.166.0/24
                              Remote Policy: VPN100      SUBNET, 10.168.0.0/19

    VPN50-2 - VPN Connection: LAN1_SUBNET INTERFACE SUBNET, 10.168.133.0/24
                              Remote Policy: VPN100      SUBNET, 10.168.0.0/19

    Is the addressing given above correct?

    The LOG entries from the VPN100 are:

    IKE - The cookie pair is : 0x45a07b4db5077d02 / 0xf1814d0662645e68
    IKE - [info] Send:
    IKE - The cookie pair is : 0xf1814d0662645e68 / 0x45a07b4db5077d02
    IKE - [info] Recv:
    Security Policy Control - Match default rule, DROP

    somebody knows what i'm doing wrong?
  • These LOG entries are repeated a few times and then there are the following entries:

    IKE - [INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID]
    IKE - [AUTH] Recv:[IDi][CERTREQ][AUTH][SA][TSi][TSr][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
    IKE - [ID] : Tunnel [IKEv2_Tunnel_Site_to_Site_IHL] Phase 2 Remote policy mismatch
    IKE - [SA] : No proposal chosen
    IKE - IPsec SA negotiation failed
  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓
    This may help 
    Knowledge Base | Zyxel

  • Thank you very much for your help.
    The link was very helpful. I had a typo in the dns entry in the VPN100. Now everything works fine.
    Thanks again for your help
  • sajid
    sajid Posts: 1
    Thanks for the helpful post ... Please share this post on ( https://gbplusmod.com/ ) ..Here a lot of people are askimg me the same...
  • batmanpal
    batmanpal Posts: 1
    If your carrier allows it, you can view your APN settings in one of the following locations: Settings > Cellular > Cellular Data Options > Cellular Network. Settings > Mobile Data > Mobile Data Options > Mobile Data Network

Security Highlight