USG as VPN client behind a router
Options
Master Member
I already asked this question here in length tonight, but either it has not been greenlit yet, or it was somehow lost.
I have a FLEX200 that accepts L2TP over IPsec connections. It's on it's own WAN and connecting with MacOSX (built in client) works as expected.
Now I want a FLEX50 to do the very same: Connect via that VPN account to the FLEX200.
Phase-1 is successful, but Phase-2 fails.
IKE Log says this (in reversed order):
I have a FLEX200 that accepts L2TP over IPsec connections. It's on it's own WAN and connecting with MacOSX (built in client) works as expected.
Now I want a FLEX50 to do the very same: Connect via that VPN account to the FLEX200.
Phase-1 is successful, but Phase-2 fails.
IKE Log says this (in reversed order):
Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]
[SA] : No proposal chosen
[ID] : Tunnel [L2TP_Connection] Phase 2 Local policy mismatch
Recv:[HASH][SA][NONCE][ID][ID]
Phase 1 IKE SA process done
Questions:
- Do I need to use NAT on the router that is infront of the FLEX50? A PC client doesn't need that either, right?
- Is the WAN-IP on the FLEX50 correct? It has the DHCP local IP from the router. Should that be the WAN IP of the router maybe?
- Do I need to configure any policies on the FLEX50 to have the tunnel established?
- Do I need to enable X-Auth on either server or client? A PC client requires both password and PSK, the FLEX50 only has the PSK at this point, but then X-Auth is not active in my FLEX200 config anyway.
Maybe this is all wrong anyway and there is a better way to achieve what I want:
Have the FLEX50 sit at a customer site to allow access to some display kiosk.
There will be a router infront and I don't want to mess with it. So the FLEX50 should auto-dial to the FLEX200 as soon as it receives a local IP on its' WAN.
Questions:
- Do I need to use NAT on the router that is infront of the FLEX50? A PC client doesn't need that either, right?
- Is the WAN-IP on the FLEX50 correct? It has the DHCP local IP from the router. Should that be the WAN IP of the router maybe?
- Do I need to configure any policies on the FLEX50 to have the tunnel established?
- Do I need to enable X-Auth on either server or client? A PC client requires both password and PSK, the FLEX50 only has the PSK at this point, but then X-Auth is not active in my FLEX200 config anyway.
Maybe this is all wrong anyway and there is a better way to achieve what I want:
Have the FLEX50 sit at a customer site to allow access to some display kiosk.
There will be a router infront and I don't want to mess with it. So the FLEX50 should auto-dial to the FLEX200 as soon as it receives a local IP on its' WAN.
0
Best Answers
-
StefanZ,
Zyxel firewall doesn't support as a L2TP/IPSec VPN client.
Using VPN wizard to create another Site-to-Site rule on USG FLEX 200 and FLEX 50.
On FLEX 200:
Select IKEv2 to make it different with the L2TP/IPSec server rule.
On FLEX 50:
Select Remote Access (client role)
0 -
StefanZ,I also have a ZyWALL USG 20 – which cannot do IKEv2.Is there a mode to do the same with this model too, minus the IKEv2?
If the USG 20 also behind NAT with dynamic public IP address. Then,
On USG FLEX 200 create another IKEv1 aggressive mode rule (make it easy to different from to other rules to avoid conflict)
On USG FLEX 200,
Select Aggressive mode.
After rules created. You need to Edit this VPN Gateway rule.
In advanced settings, setup Local ID to a string (ex. myflex200)
This is important for the peer, as a Key to match the right rule on USG FLEX 200.
On UGS20:
I don't have the old USG on hand to screenshot settings steps for you.
You can create rule based on UGS FLEX 200's settings.
Just need to remember the key attributes,
- Select client role
- Select Aggressive mode
- Edit and setup the right Peer ID on UGS20 (need to match the Local ID on USG FLEX 200)
0
All Replies
-
StefanZ,
Zyxel firewall doesn't support as a L2TP/IPSec VPN client.
Using VPN wizard to create another Site-to-Site rule on USG FLEX 200 and FLEX 50.
On FLEX 200:
Select IKEv2 to make it different with the L2TP/IPSec server rule.
On FLEX 50:
Select Remote Access (client role)
0 -
Thanks for the answer.
The FLEX200 still seems to use the old L2TP connection, the name "L2TP_Connection" pops up in the log:[COOKIE] Invalid cookie, no sa found [count=2]The cookie pair is : 0x5d208c7ae5504b67 / 0x9ed0e0bacf9da71c [count=2]ISAKMP SA [L2TP_VPN_Gateway] is disconnectedThe cookie pair is : 0x5d208c7ae5504b67 / 0x9ed0e0bacf9da71cReceived delete notificationRecv:[HASH][DEL]The cookie pair is : 0x9ed0e0bacf9da71c / 0x5d208c7ae5504b67 [count=2]Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN][SA] : No proposal chosen[SA] : Tunnel [L2TP_Connection] Phase 2 proposal mismatchRecv:[HASH][SA][NONCE][KE][ID][ID]Phase 1 IKE SA process doneSend:[ID][HASH]The cookie pair is : 0x5d208c7ae5504b67 / 0x9ed0e0bacf9da71c [count=5]Recv:[ID][HASH][NOTIFY:INITIAL_CONTACT]The cookie pair is : 0x9ed0e0bacf9da71c / 0x5d208c7ae5504b67 [count=2]Send:[KE][NONCE][PRV][PRV]Recv:[KE][NONCE][PRV][PRV]Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]The cookie pair is : 0x5d208c7ae5504b67 / 0x9ed0e0bacf9da71c [count=2]Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-MD5 PRF, HMAC-MD5-96, 1024 bit MODP; [1] protocol = IKE (1), 3DES, HMAC-SHA1 PRF, HMAC-SHA1-96, 1024 bit MODP; [2] protocol = IKE (1), DES, HMAC-SHA1 PRF, HMAC-SHA1-96, 1024 bit MODP; ).Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]The cookie pair is : 0x9ed0e0bacf9da71c / 0x5d208c7ae5504b67 [count=2]Recv Main Mode request from [<FLEX50-WAN-IP>]The cookie pair is : 0x5d208c7ae5504b67 / 0x0000000000000000
Do I need to change / deactivate anything on the L2TP VPN settings screen?
The new connection doesn't show up in the list tho. See screenshot.
0 -
OK, now it works, cool.
Disabled the L2TP VPN setting and disabled my first setting.1 -
Additional question:
I also have a ZyWALL USG 20 – which cannot do IKEv2.
Is there a mode to do the same with this model too, minus the IKEv2?
By the way, I was able to get three VPN types at once working, pretty neat.
#1 L2TP-over-IPsec IKEv1(for use with PC clients)
#2 IKEv2 site-to-site (well client/server as you described)
#3 IKEv2 (for use with PC clients)0 -
StefanZ,I also have a ZyWALL USG 20 – which cannot do IKEv2.Is there a mode to do the same with this model too, minus the IKEv2?
If the USG 20 also behind NAT with dynamic public IP address. Then,
On USG FLEX 200 create another IKEv1 aggressive mode rule (make it easy to different from to other rules to avoid conflict)
On USG FLEX 200,
Select Aggressive mode.
After rules created. You need to Edit this VPN Gateway rule.
In advanced settings, setup Local ID to a string (ex. myflex200)
This is important for the peer, as a Key to match the right rule on USG FLEX 200.
On UGS20:
I don't have the old USG on hand to screenshot settings steps for you.
You can create rule based on UGS FLEX 200's settings.
Just need to remember the key attributes,
- Select client role
- Select Aggressive mode
- Edit and setup the right Peer ID on UGS20 (need to match the Local ID on USG FLEX 200)
0 -
Thanks again!
It worked out, after I also set both Local-ID and Remote-ID. This made both sides chose the correct gateway and connection. That is because I have several, different VPNs active.
Thanks a lot!0 -
Additional note:
It seems that the OSX IKEv2 client requires a correctly formatted eMail address when you chose to use this type of ID! It can be a made up address, but has to be a pattern like xxx@yyy.zz.
The USG20 does it with "any string" in the eMail type field, OSX seems to be "special" once more. The log doesn't tell me if it was really on OSXs' side, or if it is because of the way the FLEX200 handles IKEv2.0
Categories
- All Categories
- 392 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 220 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
