IPsec VPN "site to site" USG20<-> USG40

serverpal
serverpal Posts: 26  Freshman Member
hi
I need a IPsec VPN headquarter USG40 othersite USG20 (firmware 3.30)
In USG40 there is Ikev1 and Ikev2 and I choose Ikev2
in Usg20 There is not Ikev choice.
this is the guide:
https://mysupport.zyxel.com/hc/en-us/articles/360005745060--ZyWALL-USG-How-to-manually-configure-a-Site-to-Site-VPN-tunnel
but it does not work.
what am I doing wrong?
are there any policies to set?

thanks

Damiano
«13

Answers

  • jonatan
    jonatan Posts: 87  Ally Member
    Usg20 does not support IKEv 2 , only IKEv 1.
  • serverpal
    serverpal Posts: 26  Freshman Member
    hi,
    now I configured Ikev1 on usg40 but nothing.

    External office USG20 IP lan 192.168.6.0/24
    VPN GATEWAY:
    name TOHEAD
    Interface Wan1
    static addres ip headquarters
    pre sharedkey MyPassword
    sa life time 86400
    negotiation main
    AES128 SHA1 DH2 (no NAT trasv)

    USG VPN connection:
    Site to site
    VPN Gateway TOHEAD
    local policy LAN1_Subnet INTERFACE SUBNET 192.168.6.0/24
    remote policy SUBNET 192.168.8.0/24
    sa LIFE TIME 86400
    ESP
    Tunnel
    AES128 SHA1 DH2
    zone IPSec_VPN


    HeadQuarter USG40 IP lan 192.168.8.0/24
    VPN GATEWAY:
    name TOEXT
    Ike version IKEv1
    Interface Wan1
    static addres ip external office
    pre sharedkey MyPassword
    sa life time 86400
    negotiation main
    AES128 SHA1 DH2 (no NAT trasv)

    USG VPN connection:
    Site to site
    VPN Gateway TOEXT
    local policy LAN1_Subnet INTERFACE SUBNET 192.168.8.0/24
    remote policy SUBNET 192.168.6.0/24
    sa LIFE TIME 86400
    ESP
    Tunnel
    AES128 SHA1 DH2
    zone IPSec_VPN

    all actived, try connect (30 seconds) and not DIAL.


  • jonatan
    jonatan Posts: 87  Ally Member
    IKE logs show from both gateways.


  • mMontana
    mMontana Posts: 429  Master Member
    edited November 26
    serverpal said:
    hi,
    now I configured Ikev1 on usg40 but nothing.
    Triple check all the setting for match.
    The only things that should not match are.
    Local/Remote subnets into Phase2/VPN Connection  (should be switched local to remote and viceversa)
    Local/Remote ID for Phase1/VPN Gateway (should be switched local to remote and viceversa)

    Verify that the traffic you need can reach the firewall (Portforwarding, firewall rules, whatever)
    If one of the two sides of the VPN do not have a static public IP, the scenario should be configured accordingly. And the "dynamic side" should be the one "calling" (nailed-up) and the static one should not.

  • serverpal
    serverpal Posts: 26  Freshman Member
    edited November 27
    hi,
    this is IKE log

    IKE LOG USG40 HEADQUARTER:
    1
    2021-11-27 10:40:31
    info
    IKE
    Peer not reachable
    192.168.1.237:500
     XXX.XXX.XXX.XXX:500 (<---IP Static External office)
    IKE_LOG

    2
    2021-11-27 10:40:31
    info
    IKE
    ISAKMP SA [VPN_Gateway_Pal2] is disconnected
    192.168.1.237:500
     XXX.XXX.XXX.XXX:500 (<---IP Static External office)
    IKE_LOG

    3
    2021-11-27 10:40:31
    info
    IKE
    The cookie pair is : 0x23023dc0f7cfb265 / 0x0000000000000000
    192.168.1.237:500
     XXX.XXX.XXX.XXX:500 (<---IP Static External office)
    IKE_LOG

    IKE LOG USG20 EXTERNAL OFFICE:
    1
    2021-11-27 09:36:03
    info
    IKE
    ISAKMP SA [Pal1_VPN] is disconnected
    192.168.1.50:500
    XXX.XXX.XXX.XXX:500 (<---IP Static HEADQUARTER)
    IKE_LOG
    2
    2021-11-27 09:36:03
    info
    IKE
    The cookie pair is : 0xe9aa5f403ff41848 / 0x0000000000000000
    192.168.1.50:500
    XXX.XXX.XXX.XXX:500 (<---IP Static HEADQUARTER)
    IKE_LOG
  • mMontana
    mMontana Posts: 429  Master Member
    edited November 27
     :/ 
    192.168.1.237:500
     :/ 
    192.168.1.50:500

    May I assume that both firewall have a 192.168.1.0/24 subnet as WAN interface? And there's a NAT device between firewall and internet?

    If the answer is yes you should:
    • on both sides forward UDP port500 and 4500 to USGs devices
      (check the setting survives to the reboot of the device between internet and the USG)
    • Enable "NAT Traversal" on both VPN Gateway (Phase 1)
    • Don't forget to enable only one VPN Connection (Phase 2) as "nailed up", not on both USGs
  • serverpal
    serverpal Posts: 26  Freshman Member
    hi, thank you.
    there is ISP router between firewall and internet.
    on both sides I forwarded UDP and TCP ports 500 and 4500 to USGs devices.
    Enable "NAT Traversal" on both VPN Gateway (Phase 1) - DONE
    Don't forget to enable only one VPN Connection (Phase 2) as "nailed up", not on both USGs - DONE

    now I get connection on both VPNCONNECTION (world icon is ON) but if I ping other LAN I dont get reply (Request timed out).

    this is log on USG HEADQUARTER:


  • mMontana
    mMontana Posts: 429  Master Member
    Oh. Italian dude. I'm Italian too. If you will to have professional support in your language...
    Check all the info related to the VPN gateway on both sides.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 813  Zyxel Employee
    Hi @serverpal,

    Please help to check if both USG security policy Wan to Device have service port NATT?
    Data traffic cannot pass through if there is no UDP4500 in Wan to Zywall rule.



  • serverpal
    serverpal Posts: 26  Freshman Member
    edited November 30
    hi,
    thank you for help.

    side External office  (subnet 192.168.2.0/24):


    Vpn Connection:


    Policy:


    Ping to HEADQUARTER subnet:


    Zyxell Log External Office:



    side HEADQUARTER (subnet 192.168.8.0/24):



    Vpn connection:


    firewall:


    and does not work.

Security Highlight