Connect Zyxel as a client to StrongSwan VPN server

vlad_k Posts: 8
First Anniversary
edited April 2022 in Security
Hi, I have USG Flex 200 and I am trying to connect it as a client to custom strongswan. Goal is to redirect web traffic from local network behing zyxel through remote vpn.

Vpn is cloud-based custom strongswan, so there is some freedom in its configuration in any possible way that might satisfy my usg flex 200. Makes sence to mention, VPN itself works for other clients (at least android).

On the one hand, zyxel offers "client role" during configuration process (so I expect what I want is possible in theory), on the other hand there are not so much materials on this topic.

Currently I was able to pass auth, but it can't assign IP. What can be done to fix it, or solve the problem in the other ways?

expected a virtual IP request, sending FAILED_CP_REQUIRED
configuration payload negotiation failed, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
generating IKE_AUTH response 1 [ IDr CERT AUTH N(FAIL_CP_REQ) ]

Also attaching additional information: swan logs, swan config, zyxel vpn gateway, zyxel vpn connection:

All Replies

  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    I tried to undrerstand the strongswan config several times.
    Am I dumb or i cannot see any reference to PFS?
  • vlad_k
    vlad_k Posts: 8
    First Anniversary
    edited April 2022
    Agree, there is mismatch in usg and strongswan configuration for phase2 (esp) DH group. But (probably) it is not the reason: for example if I change phase1 (ike) DH group, different error will happen earlier, while changing phase2 (esp) DH group does not change anything. Probably error happens before phase 2?

    I guess the main reason is 'expected a virtual IP request, sending FAILED_CP_REQUIRED', if I uderstood it correctly, USG does not request virtual IP, not sure how to make it request.

    Just in case, dh2 is basically modp1024.

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    As I know, Zyxel firewall only support as a VPN server for IPSec software client, with
    - IKEv1+mode config
    - L2TP over IPSec
    - IKEv2+EAP-MSCHAPv2+configuration payload. 

    It not support as an IPSec VPN client using any of the above VPN type.
    That means it won't support send mode-config or configuration payload request to VPN server. 

    You can only create another site-to-site rule on StrongSwan for it.

  • vlad_k
    vlad_k Posts: 8
    First Anniversary
    edited April 2022
    Ok, I played around site-to-site solution:

     - Tunnel was established (yay!)
     - Ping works to both directions: zywall and local pc can ping remote strongswan and vice versa (yay again!)

    Problem is how to make internet traffic go through tunnel:

    I have remote policy and introduce policy route for specific website:

    Incoming: any
    Source: any
    Destination: [FQDN_address_object]
    Next-Hop: [VPN_Tunnel]

    I can ping this website via its IP and FQDN (www addres) from local pc or from lan interface (and I am sure this ping goes through tunnel), but it does not work via browser. What can be the issue here?

    Ok, it was not a problem, fixed by reboot of strong swan server pc.

Security Highlight