Zywall 110 IPSec site to site VPN Not working

Options
NilsG
NilsG Posts: 4

trying to do a SSL Site to Site VPN to pass a temporary syslog.
i have tried the built in guides and guides on youtube and internet from Zyxel to set it up.

  • Each site have the oposit sites IP adress.
  • The LAN subnets are different.
  • Encryption is set same on both sites.
  • same password. (ruled out incompatable passwords bu useing just 123456789 for test)
  • firewall rules are in place on both sites, (firewalls are factory default exept VPN and WAN interface settings)

Site 1 have static IP
Site 2 have dynamic ip but a public facing one.

i did try to do a packet capture while i do try to connect from the other site and i do not get any trafic at all from that IP.

Any good ideas or questions so i can try to se what i have missed?


*Pictures from one of the sites, the other one is the same but with the other IP adresses of cource.
bild

bild

bild





All Replies

  • mMontana
    mMontana Posts: 1,351  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    edited August 2022
    Options
    This is my small experience...
    For both sites: any firewall with private IP configured on WAN interface must have enabled NAT-Traversal; strongly suggested to enable DPD (Ipsec V1).

    Site1: if the WAN on the zywall is configured with private address (as the previous suggestion), ports 500 UDP and 4500 UDP must be forwarded to the Zywall from your ISP router.
    The gateway must be set as "Dynamic Address" under Peer Gateway address. This change can lead to the negotiation to aggressive. Also, lower the SA time than 28800, in case of address change the rebuild of the tunnel could take up to 28800 seconds, or less (depending on the last time tunnel was built).
    In the VPN connection, it's advisable to set the connection not Nailed up; the scenario must be Site to site with a dynamic peer, and the gateway should be populated again with the new VPN gateway setting.

    Site2: as site1, ports 500 and 4500 forwarded are a thing that I'd do (assuming that the address on Site2 connection is pubblic and not ISP-level natted.
    For gateway, match the SA time and the negotiation (cipher included) match the gateway on site 1.
    Set the VPN connection as Nailed-Up. Site2 will initiate the connection any time it's on.
    Connection is fine as "site to site" 


  • smb_corp_user
    smb_corp_user Posts: 163  Master Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options
    (●) Site-to-site with Dynamic Peer was my initial thought as well. mMontana's post above is very good, I do not have anything to add.
  • NilsG
    NilsG Posts: 4
    Options
    will try this, though there is no ISP routers or modems at all so that is not a problem.
  • NilsG
    NilsG Posts: 4
    Options
    Hmm does not work. i´l try to sum up:
    No ISP routers or modems on any site.

    Site one:
    IP =  Static
    VPN type = "Site to site with dynamic peer
    Auth = preshared key
    SA Life = 28800
    Negotiation = Agressive
    Encryption = AES128 and SHA1
    Nat traversal = on
    DPD = on
    on connection:
    Naild-Up = off

    Site two:
    IP = Dynamic but public facing
    VPN Type = site to site (static adress of site one as primary adress)
    Auth = preshared key
    SA Life = 28800
    Negotiation = Agressive
    Encryption = AES128 and SHA1
    Nat traversal = on 
    DPD = on
    on connection:
    Nailed-Up = on

    Did try to get all the settings in two pictures below,








  • mMontana
    mMontana Posts: 1,351  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options
    On both sites, please activate "enable replay detection" into VPN Connection.
    Please, answer this question: WAN interfaces on site1 and site2 have public ip address configured or a private ip address configured (like 192.168.x.y or 172.16-31.x.y or 10.x.y.z)?

    Into security policies, the policy WAN to Zywall allow traffic for port 500 and 4500 UDP?

    After checking these boxes, time to go on log for understand what's goin' on.
  • NilsG
    NilsG Posts: 4
    Options
    done, but still not working.
    Yes there are public IP adresses on the WAN interface on both sites.


  • mMontana
    mMontana Posts: 1,351  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options
    Rules can be simplified using Service groups, reducing the load for the firewall with one rule instead of two.
    Now it's time to dig into the logs.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,376  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @NilsG
    In default setting, there is a rule from WAN to ZyWALL to allow VPN service.
    You can move the rule as 1st priority, prevent VPN connection effect by other rules.

    Also, you can click "Connect" button in VPN connection page to trigger VPN tunenl.
    If VPN tunnel connect fail, you can take screenshot of all "IKE" log entries to us for further check the reason.  (Monitor > Log)  :)

    Share yours now! https://bit.ly/4aO0BMF

    Stanley

Security Highlight