Client / Server VPN with Client behind Router

Options
StefanZ
StefanZ Posts: 192  Master Member
First Anniversary 10 Comments Friend Collector First Answer
edited February 2023 in Security
EDIT: This has already been answered, as the post was delayed and I asked again.
Find the answers here: https://community.zyxel.com/en/discussion/16005/usg-as-vpn-client-behind-a-router

I am trying to establish a VPN from a FLEX50 (client) to a FLEX200 (server).
The FLEX200 (server) has it's own IP on the WAN, I am able to establish L2TP over IPsec VPN connections from my Mac (from WAN side | with the onboard VPN client). So far so good.
The FLEX50 (client) is behind a Router and should connect to the FLEX200 via VPN.

What I need to achieve:
Have the FLEX50 sit in a remote LAN and connect some kiosk-screens to the FLEX200. Problem is, that I cannot (don't want to) have to configure anything on the remote router, since it's at a client site. So i thought the "connect like a PC" does makes sense here…

As mentioned, the L2TP-IPsec VPN works – so I was thinking to use that mode for connecting with the FLEX50 as well.

But the connection fails…

Some questions:
#1 - Does my idea even make sense? I am quite new to VPNs and this advanced routing stuff, so I might miss something simple.

#2 - Is it OK to have the client's WAN be the local IP it got from the router? After all a PC client also is behind a router, right?

#3 - Do I need to use X-Auth | Client Mode with user/pass?
It doesn't seem to work either, stuck at the same problem, but less output in the log.

#4 - Does the FLEX50 have any policies configured for the VPN to be stable?
I configured policies on the FLEX200 already so the VPN works and I can access clients with the connection from a PC. Didn't bother on the FLEX50 yet, but maybe that's required?

#5 - The FLEX50 Gateway > My Address > "WAN" is the DHCP it gets from the router. Is that correct? Or should I input "0.0.0.0" here?

#6 - Encapsulation on the FLEX200 is "Transport", while on the FLEX50 it's "Tunnel".
When I change the FLEX200 to "Tunnel", my Mac cannot connect anymore.
When I change the FLEX50 to "Transport", I get the "error CLI Number: 6 | Warning Number: 16017 | Warning Message: 'Remote policy need host or interface ip type'" on saving settings and "CLI Number: 0 | Error Number: -16016 | Error Message: 'Dial an incomplete tunnel has failed for Crypto map.'" when trying to connect.


Here are both IKE logs (newest log items on top):
Phase 2 seemingly fails due to NO_PROPOSAL_CHOSEN / Phase 2 Local policy mismatch
—————————— FLEX200 (server) ——————————
[COOKIE] Invalid cookie, no sa found [count=2]
The cookie pair is : 0x6f7bb823fd39d03e / 0x1781f05eab450b3d [count=2]
ISAKMP SA [L2TP_VPN_Gateway] is disconnected
The cookie pair is : 0x6f7bb823fd39d03e / 0x1781f05eab450b3d
Received delete notification
Recv:[HASH][DEL]
The cookie pair is : 0x1781f05eab450b3d / 0x6f7bb823fd39d03e [count=2]
Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]
[SA] : No proposal chosen
[ID] : Tunnel [L2TP_Connection] Phase 2 Local policy mismatch
Recv:[HASH][SA][NONCE][ID][ID]
Phase 1 IKE SA process done
Send:[ID][HASH]
The cookie pair is : 0x6f7bb823fd39d03e / 0x1781f05eab450b3d [count=5]
Recv:[ID][HASH][NOTIFY:INITIAL_CONTACT]
The cookie pair is : 0x1781f05eab450b3d / 0x6f7bb823fd39d03e [count=2]
Send:[KE][NONCE][PRV][PRV]
Recv:[KE][NONCE][PRV][PRV]
Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
The cookie pair is : 0x6f7bb823fd39d03e / 0x1781f05eab450b3d [count=2]
Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-MD5 PRF, HMAC-MD5-96, 1024 bit MODP; [1] protocol = IKE (1), 3DES, HMAC-SHA1 PRF, HMAC-SHA1-96, 1024 bit MODP; [2] protocol = IKE (1), DES, HMAC-SHA1 PRF, HMAC-SHA1-96, 1024 bit MODP; ).
Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
The cookie pair is : 0x1781f05eab450b3d / 0x6f7bb823fd39d03e [count=2]
Recv Main Mode request from [<FLEX50_IP>]
The cookie pair is : 0x6f7bb823fd39d03e / 0x0000000000000000

—————————— FLEX50 (client behind router) ——————————
ISAKMP SA [USG_Remote] is disconnected
Send:[HASH][DEL] [count=3]
The cookie pair is : 0x6f7bb823fd39d03e / 0x1781f05eab450b3d [count=4]
Recv:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]
Send:[HASH][SA][NONCE][ID][ID]
Phase 1 IKE SA process done
Recv:[ID][HASH]
The cookie pair is : 0x1781f05eab450b3d / 0x6f7bb823fd39d03e [count=2]
Send:[ID][HASH][NOTIFY:INITIAL_CONTACT]
The cookie pair is : 0x6f7bb823fd39d03e / 0x1781f05eab450b3d [count=3]
Recv:[KE][NONCE][PRV][PRV]
Send:[KE][NONCE][PRV][PRV]
The cookie pair is : 0x6f7bb823fd39d03e / 0x1781f05eab450b3d
Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
The cookie pair is : 0x1781f05eab450b3d / 0x6f7bb823fd39d03e [count=2]
Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
Send Main Mode request to [<FLEX200_IP>]
Tunnel [USG_Remote_CON] Sending IKE request
The cookie pair is : 0x6f7bb823fd39d03e / 0x0000000000000000 [count=3]





Security Highlight