USG 500 FLEX: IPSec Site-to-Site behind Double NAT only possible in Aggressive Mode?

With our previously used Draytek Vigor 3910 it was possible to establish an IPSec Site-to-Site VPN connection in Main Mode even behind a double NAT, that is: The Draytek was connected to another (CPE) router for Docsis Internet access. Now the USG 500 FLEX is connected to that same Docsis router but seems to not being able to establish a connection. I believe the Draytek could just send the IP that was manually entered in the connection setup. Could it be that the USG 500 can only send the IP which is actually bound to the respective WAN port (a local address given out by the Docsis router in this case) and that with this configuration an IPSec connection is only possible in Aggressive Mode?

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,444  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @SAMJUN,
    Welcome to Zyxel community.  =)
    Assume FLEX500 is behind a NAT device, you need to add port mapping on NAT device to forward traffic IKE/ESP/NATT(UDP4500). 
    Can you post FLEX500 VPN IKE log?

    Monitor > Log > View Log

  • mMontana
    mMontana Posts: 1,299  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Before
    internet <--> Docsis <----> Draytek 
    VPN OK
    Now
    internet <--> Docsis <----> USG 500 Flex
    VPN KO.
    Am I correct?

    Does USG500 Flex wait for interconnection or actively connect to the other endpoint?
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,444  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2022
    @mMontana, It depends on Peer Gateway Address, if FLEX VPN phase 1 peer gateway is dynamic IP, it will run as responder role, 
    VPN phase 1 Peer Gateway Address is static IP   <= Initiator role
    VPN phase 1 Peer Gateway Address is Dynamic Address <= Responder role
    BTW, Can you also take a screenshot of Draytek "lan to lan" profile? (Mask your public IP) 
    With Draytek settings, we can know how to adjust settings in Flex 500.
  • mMontana
    mMontana Posts: 1,299  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Sorry, @Zyxel_Cooldia, I forgot to mention @SAMJUN. Question was for that user.
    I have to use the "nailed up" setting behind a Carrier-grade NAT.

    Have a nice day.
  • SAMJUN
    SAMJUN Posts: 4
    Friend Collector
    @Zyxel_Cooldia Thanks for the warm welcome! :) The USG 500 is a DMZ host of the first NAT router so it is passing everything right through to the USG 500.

    @mMontana That's correct, yes.

    This is the working LAN to LAN profile in the Vigor:



    I will extract some IKE logs as soon as possible and post it here, too.
  • mMontana
    mMontana Posts: 1,299  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2022
    The draytek seems dial In. So it waits the connection from the counterpart. In the zyxel the Nailed up setting is enabled?
    I see no reference for PFS/Diffie-Hellman into the Vigor. It's hidden under some buttons? If the device does not support that flavour, is PFS disabled on the Zyxel?
    Last but not least: is NAT Traversal enabled on the Zyxel?
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,444  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Can you help to post FLEX VPN IKE log?  We would like to check IKE negotiation log.
  • mMontana said:
    The draytek seems dial In. So it waits the connection from the counterpart. In the zyxel the Nailed up setting is enabled?
    I see no reference for PFS/Diffie-Hellman into the Vigor. It's hidden under some buttons? If the device does not support that flavour, is PFS disabled on the Zyxel?
    Last but not least: is NAT Traversal enabled on the Zyxel?
    Yes, the PFS settings are hidden behind the 'Advanced' button. But that's only affecting dial-out connections. For incoming connections the Draytek seems to accept any combination of these parameters which are listed under 'IPSec General Setup':





    'Nailed up' and NAT Traversal are enabled.
  • Can you help to post FLEX VPN IKE log?  We would like to check IKE negotiation log.
    I'll have another chance at testing in the next few days. I will then post some logs. Thanks thus far!

Security Highlight