Gateway confusion between two IPSec Gateways

Options
mMontana
mMontana Posts: 1,302  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
USG40, Firmware 4.73.
One internet connection FTTC, static IP address
9 IPSec gateways configured, 2 IKEv2. 7 IKEv1.
Gateway 8 is the one used for IPSec client with license; aggressive negotiation, lifetime SA 86400.
Gateway 9 is configured as "site to site  with dynamic peer"; aggressive negotiation SA lifetime 3600 sec; the endpoint is USG20, Firmware 3.30P9 ITS-WK48-r74988, the connection is made via 4G router which provider deploy C-NAT and i cannot have access to static/public IP address. the low SA Lifetime is designed for allow fast reconnection in case of IP change.
When the USG20 endpoint try to reach Gateway 9, on USG40 log reports failed negotiations with Gateway 8; if I disable Gateway 8, connection start without issues.
Moreover... Gateway 2 is configured in similar way as Gateway 9 (site to site  with dynamic peer, USG20W as endpoint, C-NAT on the ISP, which is a mobile provider via 4G, 2880 as SA lifetime). I never get issues/errors on this gateway and sometimes on USG20W for "nudgin'" the connection I disable and re-enable the gateway.

What I'm doing wrong?

(I was denied for allow remote access on USG40; happy to provide any detail necessary but remote access cannot be provided in any way, sorry)
«1

All Replies

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @mMontana,
    If you have multiple Aggressive mode gateway (phase 1) rule.
    local-id is the attribute that used to identify the different gateway (phase 1) rule.
    By default, the local-id is IP address of interface of the gateway rule.

    In your case, you can setup local-id of gateway 9 rule. (ex. type: DNS, value=string1)
    In the peer USG20. Setup remote-id to "string1" so that it can match the right one (gateway 9 rule).

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Thanks a lot for your answer, @zyman2008, I'll look into it and report.
  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    I was not remembering all the details.
    Gateway 8 (server for IPsec client with Zyxel licensed client) has IPv4 and specific address as local id, but accepts any other as peer ID
    Gateway 9 (site to site with dynamic peer) have DNS local and Peer id, with values, matching and working.

    So.
    If i don't transform Gateway 8 to Gateway 10 or change the remote Peer ID to "something" for Gateway 8 I'm stuck there?
  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    UP. Hoping that any zyxel representative can provide some info or hints.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Gateway 8, set Local ID with different type (IP or Email) from Gateway 9. 
    Gateway 9 (site to site with dynamic peer) have DNS Local ID and Peer ID.
    On the remote site or client, set correct remote ID type. Then the client should be able to connect to the correct Gateway. 
  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Gateway 8, set Local ID with different type (IP or Email) from Gateway 9. 

    They already are.
    Gateway 9 (site to site with dynamic peer) have DNS Local ID and Peer ID.
    On the remote site or client, set correct remote ID type. Then the client should be able to connect to the correct Gateway. 

    They already are.
    When Gateway 8 is disabled, Gateway 9 corrects without any different setting.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Could you share the configuration file of USG40 with me in private message? Thanks!
  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Update. I deleted and re-created Gateway 8, so now in the list is Gateway 9, still having the same issue.
    I need to disable IPSec client gateway and the site to site gateway. Then enable the site to site. Then tunnel build, and i can enable the client gateway, having still the tunnel built and working.

    I'll get in touch soon for the configuration.
  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Update. Unfortunately later…

    Currently the "IPSec client with license" gateway is disabled once a day in the morning. Then re-enabled 45 minutes later, when is expected that if the "Site to site with dynamic address" endpoint will establish connection.

    After that, the Ipsec software client for windows can flawlessly connect.

    I worked around the issue, however I cannot understand how the device can "confuse" the traffic. PSK is different among the gateways.

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Updates on the same topic.

    USG40 has updated to 4.73P1 (thanks zyxel for update a EndOfService product!).
    VPN has changed parameters:
    Gateway moved from 57600 seconds to 3600 seconds. Proposals were upgraded to AES192/SHA256.
    Connection proposals were upgraded to AES192/SHA256.

Security Highlight