Gateway confusion between two IPSec Gateways
Options
Guru Member
USG40, Firmware 4.73.
One internet connection FTTC, static IP address
9 IPSec gateways configured, 2 IKEv2. 7 IKEv1.
Gateway 8 is the one used for IPSec client with license; aggressive negotiation, lifetime SA 86400.
Gateway 9 is configured as "site to site with dynamic peer"; aggressive negotiation SA lifetime 3600 sec; the endpoint is USG20, Firmware 3.30P9 ITS-WK48-r74988, the connection is made via 4G router which provider deploy C-NAT and i cannot have access to static/public IP address. the low SA Lifetime is designed for allow fast reconnection in case of IP change.
When the USG20 endpoint try to reach Gateway 9, on USG40 log reports failed negotiations with Gateway 8; if I disable Gateway 8, connection start without issues.
Moreover... Gateway 2 is configured in similar way as Gateway 9 (site to site with dynamic peer, USG20W as endpoint, C-NAT on the ISP, which is a mobile provider via 4G, 2880 as SA lifetime). I never get issues/errors on this gateway and sometimes on USG20W for "nudgin'" the connection I disable and re-enable the gateway.
What I'm doing wrong?
(I was denied for allow remote access on USG40; happy to provide any detail necessary but remote access cannot be provided in any way, sorry)
One internet connection FTTC, static IP address
9 IPSec gateways configured, 2 IKEv2. 7 IKEv1.
Gateway 8 is the one used for IPSec client with license; aggressive negotiation, lifetime SA 86400.
Gateway 9 is configured as "site to site with dynamic peer"; aggressive negotiation SA lifetime 3600 sec; the endpoint is USG20, Firmware 3.30P9 ITS-WK48-r74988, the connection is made via 4G router which provider deploy C-NAT and i cannot have access to static/public IP address. the low SA Lifetime is designed for allow fast reconnection in case of IP change.
When the USG20 endpoint try to reach Gateway 9, on USG40 log reports failed negotiations with Gateway 8; if I disable Gateway 8, connection start without issues.
Moreover... Gateway 2 is configured in similar way as Gateway 9 (site to site with dynamic peer, USG20W as endpoint, C-NAT on the ISP, which is a mobile provider via 4G, 2880 as SA lifetime). I never get issues/errors on this gateway and sometimes on USG20W for "nudgin'" the connection I disable and re-enable the gateway.
What I'm doing wrong?
(I was denied for allow remote access on USG40; happy to provide any detail necessary but remote access cannot be provided in any way, sorry)
0
All Replies
-
Hi @mMontana,
If you have multiple Aggressive mode gateway (phase 1) rule.
local-id is the attribute that used to identify the different gateway (phase 1) rule.
By default, the local-id is IP address of interface of the gateway rule.
In your case, you can setup local-id of gateway 9 rule. (ex. type: DNS, value=string1)
In the peer USG20. Setup remote-id to "string1" so that it can match the right one (gateway 9 rule).
0 -
Thanks a lot for your answer, @zyman2008, I'll look into it and report.0
-
I was not remembering all the details.
Gateway 8 (server for IPsec client with Zyxel licensed client) has IPv4 and specific address as local id, but accepts any other as peer ID
Gateway 9 (site to site with dynamic peer) have DNS local and Peer id, with values, matching and working.
So.
If i don't transform Gateway 8 to Gateway 10 or change the remote Peer ID to "something" for Gateway 8 I'm stuck there?0 -
UP. Hoping that any zyxel representative can provide some info or hints.0
-
Hi @mMontana,Gateway 8, set Local ID with different type (IP or Email) from Gateway 9.Gateway 9 (site to site with dynamic peer) have DNS Local ID and Peer ID.On the remote site or client, set correct remote ID type. Then the client should be able to connect to the correct Gateway.0
-
Zyxel_Emily said:Hi @mMontana,Gateway 8, set Local ID with different type (IP or Email) from Gateway 9.
They already are.Zyxel_Emily said:Gateway 9 (site to site with dynamic peer) have DNS Local ID and Peer ID.On the remote site or client, set correct remote ID type. Then the client should be able to connect to the correct Gateway.
They already are.
When Gateway 8 is disabled, Gateway 9 corrects without any different setting.0 -
Hi @mMontana,Could you share the configuration file of USG40 with me in private message? Thanks!0
-
Update. I deleted and re-created Gateway 8, so now in the list is Gateway 9, still having the same issue.
I need to disable IPSec client gateway and the site to site gateway. Then enable the site to site. Then tunnel build, and i can enable the client gateway, having still the tunnel built and working.
I'll get in touch soon for the configuration.0 -
Update. Unfortunately later…
Currently the "IPSec client with license" gateway is disabled once a day in the morning. Then re-enabled 45 minutes later, when is expected that if the "Site to site with dynamic address" endpoint will establish connection.
After that, the Ipsec software client for windows can flawlessly connect.
I worked around the issue, however I cannot understand how the device can "confuse" the traffic. PSK is different among the gateways.
0 -
Updates on the same topic.
USG40 has updated to 4.73P1 (thanks zyxel for update a EndOfService product!).
VPN has changed parameters:
Gateway moved from 57600 seconds to 3600 seconds. Proposals were upgraded to AES192/SHA256.
Connection proposals were upgraded to AES192/SHA256.0
Master Member
Zyxel Employee
Categories
- All Categories
- 395 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
