USG20W : only one user can connect to IPSEC gateway

flefebure
flefebure Posts: 9  Freshman Member
First Anniversary Friend Collector First Comment
edited August 2021 in Security
Hi,

We have an USG20W with the latest 4.65 firmware.
We have the feeling that the issue is relatively new, but we can't prove it (twe had in June/July a big gap upgrade to the 4.62)

When a first user connects to the IPSEC GW : everything is fine
When a second user connects, both connections become very unstable, but not toatally dead
When a third user connects, all connections are totally uneffective

USG CPU usage is high with 2 users (96/98%)

Some details (USG adress has been replaced with X.X.X.X) :
IPSEC USG configuration :

crypto map VPN_Sotbridge
 activate
 adjust-mss auto
 ipsec-isakmp VPN_Softbridge
 scenario remote-access-server
 encapsulation tunnel
 transform-set esp-des-sha
 set security-association lifetime seconds 86400
 set pfs none
 local-policy LAN1_SUBNET
 remote-policy any
 no conn-check activate
!
ikev2 policy VPN_Softbridge_Ike2
 deactivate
 local-ip interface wan1
 peer-ip 0.0.0.0 0.0.0.0
 authentication pre-share
 encrypted-keystring ********
 local-id type fqdn server
 peer-id type fqdn client
 fall-back-check-interval 300
 lifetime 86400
 group1
 transform-set des-md5
 dpd-interval 30

Strongswan client configuration

conn softbridge
        left=%defaultroute
        #left=%any
        #leftsourceip=%config
        #leftsourceip=192.168.50.100
        leftsubnet=192.168.43.0/24
        leftid=1.1.1.1
        right=X.X.X.X
        rightid=1.1.1.1
        rightsubnet=192.168.50.0/24
        authby=psk
        dpdaction=restart
        aggressive=no
        ikelifetime=1h
        ike=des-md5-modp768
        esp=des-sha1
        keyexchange=ikev1
        compress=yes
        modeconfig=pull
        dpddelay=10s
        dpdtimeout=30s
        dpdaction=restart
        type=tunnel
        auto=start
        closeaction=restart

Charon log on an unstable client (looping)

Aug 16 13:27:16 dev10 charon-custom: 07[ENC] parsed INFORMATIONAL_V1 request 824554252 [ HASH D ]
Aug 16 13:27:16 dev10 charon-custom: 07[IKE] received DELETE for ESP CHILD_SA with SPI 1f2cb2ae
Aug 16 13:27:16 dev10 charon-custom: 07[IKE] closing CHILD_SA softbridge{104} with SPIs ce41fc8b_i (0 bytes) 1f2cb2ae_o (0 bytes) and TS 192.168.43.0/24 === 192.168.50.0/24
Aug 16 13:27:16 dev10 charon-custom: 07[ENC] generating QUICK_MODE request 72507943 [ HASH SA No ID ID ]
Aug 16 13:27:16 dev10 charon-custom: 07[NET] sending packet: from 192.168.43.193[4500] to X.X.X.X[4500] (292 bytes)
Aug 16 13:27:16 dev10 charon-custom: 11[NET] received packet: from X.X.X.X[4500] to 192.168.43.193[4500] (68 bytes)
Aug 16 13:27:16 dev10 charon-custom: 11[ENC] parsed INFORMATIONAL_V1 request 799614619 [ HASH D ]

All Replies

  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2021
    Is it client to site VPN or site to site VPN in your scenario?
    If I remember correctly, client to site VPN should encapsulate as transport mode, and site to site VPN should be tunnel mode.
    My Strongswan client cfg for your reference.
    conn shield                                                                                            
            left=Y.Y.Y.Y        <= client ip                                                                                
            leftid=vpnclient                                                                                
            leftauth=psk                                                                                   
            leftauth2=xauth                                                                                 
            leftsourceip=%config                                                                           
            leftfirewall=yes                                                                                 
            right=X.X.X.X                              <= USG WAN ip                                                                       
            rightsubnet=192.168.1.0/24     <= USG lan  subnet                                                       
            rightid=X.X.X.X               <= USG WAN ip                                                                             
            rightauth=psk                                                                                  
            auto=add                                                                                     
            ike=aes256-sha2_256-modp1024!                                                               
            esp=aes256-sha2_256! 
  • @flefebure
    lalaland is right ;)

  • flefebure
    flefebure Posts: 9  Freshman Member
    First Anniversary Friend Collector First Comment
    Hi lalaland & pohofiwo,

    Tx for your answers,

    I've made some tests this morning but I could not be able to setup a connection with "transport" mode both side
    Note :
    Anyway, since we have noted the regression, there has been some major modifications in our setup:
    • Zyxel firmware updates (from 3.something to 4.62 then 4.65)
    • Change from Shrew linux VPN client to StrongSwan VPN client (because the Shrew one doesn't build anymore with recent Ubuntu releases)
    So effectively, I'm now inclined to think the probleme is the Strongswan config.

    For the moment, I've switched from ikev1 to ikev2 and I wait for a second user to connect (we are not on the same timezone)

    Thanks!

  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    I was wondering about your settings. Assume your case is client to site VPN. the cfg should not have declaration of leftsubnet.
    The configurations looks like site to site VPN scenario settings to me. :p
    This is example for your reference.
    https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2ClientConfig
  • flefebure
    flefebure Posts: 9  Freshman Member
    First Anniversary Friend Collector First Comment
    Hi,
    I did not have more success with your last example. It's functional, but only for one user
    I'm going to try to have support from Zyxel


  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2021
    Another way to build up VPN tunnels for your reference. It's GUI based, easier to set up VPN tunnel.  :#
    The configuration is l2tp over IPSec with user authentication scenario. 

    Click add to create VPN tunnel


    Type gateway IP and username password.


    Tick "Enable IPsec tunnel to l2tp host"


    Just leave this page as default settings.

Security Highlight