IpSec VPN with Remote Access Server - trouble

Options

On "USG310" I have configured IPSec VPN as Remote Access Server.
Everything works fine but...
Problems start when more than one user connects from the same remote network. For example, with two users, they start disconnecting and reconnecting alternately. As if logging in one causes logging out/invalidating the session of the other.
How to fix it?
Why is this happening?

Accepted Solution

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023 Answer ✓
    Options

    Here the guideline to create VPN rule,

    Static Site to Site:

    • One rule for one peer
    • My IP - Peer IP will be the matching criteria

    Site to Site with dynamic Peer & Remote Access:

    • One rule for all peers. Setup Local ID/Remote ID is any. On the peer setup remote ID/Local ID.
    • Setup the proposal different with other Site to Site with dynamic peer and Remote Access rule.

    But if you have multiple dynamic peer/remote access rules.

    The issue will be, you don't know whta's the priority/order for the rules.

    Since IPSec design of Zyxel firewall cannot assign a priority number for the rules like Cisco does.

    This is what Zyxel need to imporved.

    At least show the runtime priority/ordering of rules for trouble shoot.

All Replies

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @KonradWo ,

    Multiple clients under the same NAT router.

    The source IP address of VPN (IKE) request from clients is the same IP.

    VPN server cannot identify the different without unique "fingerprint".

    So that you need to setup different "local ID" on each client.

    How to do that ?

    It's vary depends what's client software you have.

    Some have support, some don't.

  • KonradWo
    KonradWo Posts: 4
    Friend Collector First Comment
    Options

    So if i have 10 clients - i must have configured 10 VPN Gateway and 10 VPN Connection ?

    Hmm - other vendors have no such restrictions

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Just one VPN rule Gateway/Conenction rule on firewall.

    But on each client need to setup unique local-id.

    The point of view comes from IPSec IKE RFC standard.

    Remote/Local ID is one of the matching criteria for IKE negotiation.

    But the default value of local id is depends on the design of the VPN client.

    Here an example of iPhone IKEv2 VPN ocnfiguraiton page.

    There has a Local ID field for you to setup.

  • KonradWo
    KonradWo Posts: 4
    Friend Collector First Comment
    edited March 2023
    Options

    But if i have more than one VPN Gateway / VPN Connection pair in my router with a different rules ?

    How then will the system distinguish the connections?

    By allowing any as the Remote ID, you can't distinguish between sessions and it stops working.

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023 Answer ✓
    Options

    Here the guideline to create VPN rule,

    Static Site to Site:

    • One rule for one peer
    • My IP - Peer IP will be the matching criteria

    Site to Site with dynamic Peer & Remote Access:

    • One rule for all peers. Setup Local ID/Remote ID is any. On the peer setup remote ID/Local ID.
    • Setup the proposal different with other Site to Site with dynamic peer and Remote Access rule.

    But if you have multiple dynamic peer/remote access rules.

    The issue will be, you don't know whta's the priority/order for the rules.

    Since IPSec design of Zyxel firewall cannot assign a priority number for the rules like Cisco does.

    This is what Zyxel need to imporved.

    At least show the runtime priority/ordering of rules for trouble shoot.

  • Ethanwallace
    Options

    Thanks for info..

  • KonradWo
    KonradWo Posts: 4
    Friend Collector First Comment
    Options

    This doesn't solve the problem, but it does clarify the situation.Thank you for the information and help

Security Highlight