Site-to-site VPN between Zywall 110 and MS Azure

EricLogsdon
EricLogsdon Posts: 8  Freshman Member
First Anniversary First Answer First Comment
edited September 2023 in Security

I am setting up a Site-to-Site VPN between my small office and MS Azure. The office network is behind a NAT in the Zywall 110 since we have multiple public IP addresses for some outward facing servers. I have seen references to Policy Based and Route based VPN. Which is better?

[Update]

I used the Quick Setup wizard, which generated a Policy Based Site-to-Site VPN. The MS Azure connection stays in a "connecting" status and the Zywall never goes to connected status. If I click the Connect button for the connection, it times out. I am guessing something isn't in sync between the two configuration, but I don't see what it is.

Here is the Zywall configuration:

Gateway

Connection:

The Azure settings are:

Azure Vnet Address space:

Vnet subnets:

Vnet Gateway:

Local Net Gateway:

Connection:

Any wisdom would be appreciated.

Eric

Accepted Solution

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    @EricLogsdon

    The logs show "Phase 1 Peer ID mismatch" and "No proposal chosen", please check if the phase 1/2 algorithms have corresponded, and the Local/Peer ID seems incorrect too. Please show the encrypted algorithms of phase1/2.

    Moreover, is your firewall behind NAT?

All Replies

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Here is a knowledge base article for your reference

    https://support.zyxel.eu/hc/en-us/articles/360001524813-VPN-Configure-Site-to-site-IPSec-VPN-with-Microsoft-MS-Azure-#h_01GM2Y0XGGSWR8QC896WNS1D1X

    To troubleshoot the site-to-site VPN connection, please provide the VPN-related logs, thanks.

  • EricLogsdon
    EricLogsdon Posts: 8  Freshman Member
    First Anniversary First Answer First Comment

    Thanks. I'll look through this.

  • EricLogsdon
    EricLogsdon Posts: 8  Freshman Member
    First Anniversary First Answer First Comment

    That knowledge base article is the one I used to set up the VPN (Azure & ZyWall). I went ahead and deleted my configuration and Reconfigured both environments. I have included screen shots of the IKE log from the ZyWall 110 as well as the configurations of both environments. I did the screen shots of the log because I found the e-mail of the log difficult to read. I didn't see any other options to get the log.

    IKE Log:

    ZyWall Gateway:

    ZyWall Connection:

    Azure Vnet Address Space:

    Azure Vnet Subnets:

    Azure Local Gateway:

    Azure Vnet Gateway:

    Azure Connection:

    Thank you.

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    @EricLogsdon

    The logs show "Phase 1 Peer ID mismatch" and "No proposal chosen", please check if the phase 1/2 algorithms have corresponded, and the Local/Peer ID seems incorrect too. Please show the encrypted algorithms of phase1/2.

    Moreover, is your firewall behind NAT?

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @EricLogsdon ,

    I do recommend to use route-based IPSec VPN instead of policy-based VPN which is limited for link to cloud service and not easy to trouble shoot.

    Also, I think Zyxel obsoleted the policy-based KB by route-based.

  • EricLogsdon
    EricLogsdon Posts: 8  Freshman Member
    First Anniversary First Answer First Comment

    Zyxel_James,

    The Phase1/Phase2 algorithms match. I saw the remote peer id was a prior IP address. I updated that. The ZyWall 110 is not behind a NAT, should I disable NATT?

    As it stands now, changing the peer id resolved my connection issue. And I am able to communicate into the Azure Vnet.

  • EricLogsdon
    EricLogsdon Posts: 8  Freshman Member
    First Anniversary First Answer First Comment

    zyman2008

    I will take a look at that.

Security Highlight