Connect Zyxel as a client to StrongSwan VPN server

vlad_k

Hi, I have USG Flex 200 and I am trying to connect it as a client to custom strongswan. Goal is to redirect web traffic from local network behing zyxel through remote vpn.

Vpn is cloud-based custom strongswan, so there is some freedom in its configuration in any possible way that might satisfy my usg flex 200. Makes sence to mention, VPN itself works for other clients (at least android).

On the one hand, zyxel offers "client role" during configuration process (so I expect what I want is possible in theory), on the other hand there are not so much materials on this topic.

Currently I was able to pass auth, but it can't assign IP. What can be done to fix it, or solve the problem in the other ways?

expected a virtual IP request, sending FAILED_CP_REQUIRED

configuration payload negotiation failed, no CHILD_SA built

failed to establish CHILD_SA, keeping IKE_SA

generating IKE_AUTH response 1 [ IDr CERT AUTH N(FAIL_CP_REQ) ]

Also attaching additional information: swan logs, swan config, zyxel vpn gateway, zyxel vpn connection:

mMontana

I tried to undrerstand the strongswan config several times.

Am I dumb or i cannot see any reference to PFS?

vlad_k

Agree, there is mismatch in usg and strongswan configuration for phase2 (esp) DH group. But (probably) it is not the reason: for example if I change phase1 (ike) DH group, different error will happen earlier, while changing phase2 (esp) DH group does not change anything. Probably error happens before phase 2?

I guess the main reason is 'expected a virtual IP request, sending FAILED_CP_REQUIRED', if I uderstood it correctly, USG does not request virtual IP, not sure how to make it request.

Just in case, dh2 is basically modp1024.

zyman2008

As I know, Zyxel firewall only support as a VPN server for IPSec software client, with
- IKEv1+mode config
- L2TP over IPSec
- IKEv2+EAP-MSCHAPv2+configuration payload. 

It not support as an IPSec VPN client using any of the above VPN type.
That means it won't support send mode-config or configuration payload request to VPN server. 

You can only create another site-to-site rule on StrongSwan for it.

vlad_k

Ok, I played around site-to-site solution:

 - Tunnel was established (yay!)
 - Ping works to both directions: zywall and local pc can ping remote strongswan and vice versa (yay again!)

Problem is how to make internet traffic go through tunnel:

I have remote policy 0.0.0.0/0 and introduce policy route for specific website:

Incoming: any

Source: any

Destination: [FQDN_address_object]

Next-Hop: [VPN_Tunnel]

I can ping this website via its IP and FQDN (www addres) from local pc or from lan interface (and I am sure this ping goes through tunnel), but it does not work via browser. What can be the issue here?

UPD
Ok, it was not a problem, fixed by reboot of strong swan server pc.