Site-to-site VPN between Zywall 110 and MS Azure

Posts: 8  Freshman Member
First Answer First Comment Sixth Anniversary
edited September 2023 in Security

I am setting up a Site-to-Site VPN between my small office and MS Azure. The office network is behind a NAT in the Zywall 110 since we have multiple public IP addresses for some outward facing servers. I have seen references to Policy Based and Route based VPN. Which is better?

[Update]

I used the Quick Setup wizard, which generated a Policy Based Site-to-Site VPN. The MS Azure connection stays in a "connecting" status and the Zywall never goes to connected status. If I click the Connect button for the connection, it times out. I am guessing something isn't in sync between the two configuration, but I don't see what it is.

Here is the Zywall configuration:

Gateway

Connection:

The Azure settings are:

Azure Vnet Address space:

Vnet subnets:

Vnet Gateway:

Local Net Gateway:

Connection:

Any wisdom would be appreciated.

Eric

Welcome!

It looks like you're new here. If you want to get involved, click on this button!

Accepted Solution

  • Posts: 664  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    @EricLogsdon

    The logs show "Phase 1 Peer ID mismatch" and "No proposal chosen", please check if the phase 1/2 algorithms have corresponded, and the Local/Peer ID seems incorrect too. Please show the encrypted algorithms of phase1/2.

    Moreover, is your firewall behind NAT?

All Replies

  • Posts: 664  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    Here is a knowledge base article for your reference

    https://support.zyxel.eu/hc/en-us/articles/360001524813-VPN-Configure-Site-to-site-IPSec-VPN-with-Microsoft-MS-Azure-#h_01GM2Y0XGGSWR8QC896WNS1D1X

    To troubleshoot the site-to-site VPN connection, please provide the VPN-related logs, thanks.

  • Posts: 8  Freshman Member
    First Answer First Comment Sixth Anniversary

    Thanks. I'll look through this.

  • Posts: 8  Freshman Member
    First Answer First Comment Sixth Anniversary

    That knowledge base article is the one I used to set up the VPN (Azure & ZyWall). I went ahead and deleted my configuration and Reconfigured both environments. I have included screen shots of the IKE log from the ZyWall 110 as well as the configurations of both environments. I did the screen shots of the log because I found the e-mail of the log difficult to read. I didn't see any other options to get the log.

    IKE Log:

    ZyWall Gateway:

    ZyWall Connection:

    Azure Vnet Address Space:

    Azure Vnet Subnets:

    Azure Local Gateway:

    Azure Vnet Gateway:

    Azure Connection:

    Thank you.

  • Posts: 664  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    @EricLogsdon

    The logs show "Phase 1 Peer ID mismatch" and "No proposal chosen", please check if the phase 1/2 algorithms have corresponded, and the Local/Peer ID seems incorrect too. Please show the encrypted algorithms of phase1/2.

    Moreover, is your firewall behind NAT?

  • Posts: 225  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @EricLogsdon ,

    I do recommend to use route-based IPSec VPN instead of policy-based VPN which is limited for link to cloud service and not easy to trouble shoot.

    Also, I think Zyxel obsoleted the policy-based KB by route-based.

  • Posts: 8  Freshman Member
    First Answer First Comment Sixth Anniversary

    Zyxel_James,

    The Phase1/Phase2 algorithms match. I saw the remote peer id was a prior IP address. I updated that. The ZyWall 110 is not behind a NAT, should I disable NATT?

    As it stands now, changing the peer id resolved my connection issue. And I am able to communicate into the Azure Vnet.

  • Posts: 8  Freshman Member
    First Answer First Comment Sixth Anniversary

    zyman2008

    I will take a look at that.

Welcome!

It looks like you're new here. If you want to get involved, click on this button!

Welcome!

It looks like you're new here. If you want to get involved, click on this button!