USG as VPN client behind a router

Options
StefanZ
StefanZ Posts: 192  Master Member
First Anniversary 10 Comments Friend Collector First Answer
I already asked this question here in length tonight, but either it has not been greenlit yet, or it was somehow lost.

I have a FLEX200 that accepts L2TP over IPsec connections. It's on it's own WAN and connecting with MacOSX (built in client) works as expected.

Now I want a FLEX50 to do the very same: Connect via that VPN account to the FLEX200.

Phase-1 is successful, but Phase-2 fails.

IKE Log says this (in reversed order):
Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]
[SA] : No proposal chosen
[ID] : Tunnel [L2TP_Connection] Phase 2 Local policy mismatch
Recv:[HASH][SA][NONCE][ID][ID]
Phase 1 IKE SA process done

Questions:
- Do I need to use NAT on the router that is infront of the FLEX50? A PC client doesn't need that either, right?
- Is the WAN-IP on the FLEX50 correct? It has the DHCP local IP from the router. Should that be the WAN IP of the router maybe?
- Do I need to configure any policies on the FLEX50 to have the tunnel established?
- Do I need to enable X-Auth on either server or client? A PC client requires both password and PSK, the FLEX50 only has the PSK at this point, but then X-Auth is not active in my FLEX200 config anyway.

Maybe this is all wrong anyway and there is a better way to achieve what I want:
Have the FLEX50 sit at a customer site to allow access to some display kiosk.
There will be a router infront and I don't want to mess with it. So the FLEX50 should auto-dial to the FLEX200 as soon as it receives a local IP on its' WAN.





Best Answers

  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    StefanZ,
    Zyxel firewall doesn't support as a L2TP/IPSec VPN client.
    Using VPN wizard to create another Site-to-Site rule on USG FLEX 200 and FLEX 50.


    On FLEX 200:
    Select IKEv2 to make it different with the L2TP/IPSec server rule.





    On FLEX 50:
    Select Remote Access (client role)




  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    I also have a ZyWALL USG 20 – which cannot do IKEv2.
    Is there a mode to do the same with this model too, minus the IKEv2?
    StefanZ,
    If the USG 20 also behind NAT with dynamic public IP address. Then,
    On USG FLEX 200 create another IKEv1 aggressive mode rule (make it easy to different from to other  rules to avoid conflict)

    On USG FLEX 200,


     
    Select Aggressive mode.




    After rules created. You need to Edit this VPN Gateway rule.
    In advanced settings, setup Local ID to a string (ex. myflex200)
    This is important for the peer, as a Key to match the right rule on USG FLEX 200.
      

    On UGS20: 
    I don't have the old USG on hand to screenshot settings steps for you.
    You can create rule based on UGS FLEX 200's settings.
    Just need to remember the key attributes, 
    - Select client role
    - Select Aggressive mode
    - Edit and setup the right Peer ID on UGS20 (need to match the Local ID on USG FLEX 200)


All Replies

  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    StefanZ,
    Zyxel firewall doesn't support as a L2TP/IPSec VPN client.
    Using VPN wizard to create another Site-to-Site rule on USG FLEX 200 and FLEX 50.


    On FLEX 200:
    Select IKEv2 to make it different with the L2TP/IPSec server rule.





    On FLEX 50:
    Select Remote Access (client role)




  • StefanZ
    StefanZ Posts: 192  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Thanks for the answer.
    The FLEX200 still seems to use the old L2TP connection, the name "L2TP_Connection" pops up in the log:
    [COOKIE] Invalid cookie, no sa found [count=2]
    The cookie pair is : 0x5d208c7ae5504b67 / 0x9ed0e0bacf9da71c [count=2]
    ISAKMP SA [L2TP_VPN_Gateway] is disconnected
    The cookie pair is : 0x5d208c7ae5504b67 / 0x9ed0e0bacf9da71c
    Received delete notification
    Recv:[HASH][DEL]
    The cookie pair is : 0x9ed0e0bacf9da71c / 0x5d208c7ae5504b67 [count=2]
    Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]
    [SA] : No proposal chosen
    [SA] : Tunnel [L2TP_Connection] Phase 2 proposal mismatch
    Recv:[HASH][SA][NONCE][KE][ID][ID]
    Phase 1 IKE SA process done
    Send:[ID][HASH]
    The cookie pair is : 0x5d208c7ae5504b67 / 0x9ed0e0bacf9da71c [count=5]
    Recv:[ID][HASH][NOTIFY:INITIAL_CONTACT]
    The cookie pair is : 0x9ed0e0bacf9da71c / 0x5d208c7ae5504b67 [count=2]
    Send:[KE][NONCE][PRV][PRV]
    Recv:[KE][NONCE][PRV][PRV]
    Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
    The cookie pair is : 0x5d208c7ae5504b67 / 0x9ed0e0bacf9da71c [count=2]
    Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-MD5 PRF, HMAC-MD5-96, 1024 bit MODP; [1] protocol = IKE (1), 3DES, HMAC-SHA1 PRF, HMAC-SHA1-96, 1024 bit MODP; [2] protocol = IKE (1), DES, HMAC-SHA1 PRF, HMAC-SHA1-96, 1024 bit MODP; ).
    Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
    The cookie pair is : 0x9ed0e0bacf9da71c / 0x5d208c7ae5504b67 [count=2]
    Recv Main Mode request from [<FLEX50-WAN-IP>]
    The cookie pair is : 0x5d208c7ae5504b67 / 0x0000000000000000

    Do I need to change / deactivate anything on the L2TP VPN settings screen?
    The new connection doesn't show up in the list tho. See screenshot.


  • StefanZ
    StefanZ Posts: 192  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    OK, now it works, cool.
    Disabled the L2TP VPN setting and disabled my first setting.
  • StefanZ
    StefanZ Posts: 192  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Additional question:
    I also have a ZyWALL USG 20 – which cannot do IKEv2.
    Is there a mode to do the same with this model too, minus the IKEv2?

    By the way, I was able to get three VPN types at once working, pretty neat.
    #1 L2TP-over-IPsec IKEv1(for use with PC clients)
    #2 IKEv2 site-to-site (well client/server as you described)
    #3 IKEv2 (for use with PC clients)
  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    I also have a ZyWALL USG 20 – which cannot do IKEv2.
    Is there a mode to do the same with this model too, minus the IKEv2?
    StefanZ,
    If the USG 20 also behind NAT with dynamic public IP address. Then,
    On USG FLEX 200 create another IKEv1 aggressive mode rule (make it easy to different from to other  rules to avoid conflict)

    On USG FLEX 200,


     
    Select Aggressive mode.




    After rules created. You need to Edit this VPN Gateway rule.
    In advanced settings, setup Local ID to a string (ex. myflex200)
    This is important for the peer, as a Key to match the right rule on USG FLEX 200.
      

    On UGS20: 
    I don't have the old USG on hand to screenshot settings steps for you.
    You can create rule based on UGS FLEX 200's settings.
    Just need to remember the key attributes, 
    - Select client role
    - Select Aggressive mode
    - Edit and setup the right Peer ID on UGS20 (need to match the Local ID on USG FLEX 200)


  • StefanZ
    StefanZ Posts: 192  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2023
    Options
    Thanks again!

    It worked out, after I also set both Local-ID and Remote-ID. This made both sides chose the correct gateway and connection. That is because I have several, different VPNs active.
    Thanks a lot!
  • StefanZ
    StefanZ Posts: 192  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Additional note:
    It seems that the OSX IKEv2 client requires a correctly formatted eMail address when you chose to use this type of ID! It can be a made up address, but has to be a pattern like xxx@yyy.zz.
    The USG20 does it with "any string" in the eMail type field, OSX seems to be "special" once more. The log doesn't tell me if it was really on OSXs' side, or if it is because of the way the FLEX200 handles IKEv2.

Security Highlight