usg40 as router, site to site vpn, with webservers behind it.

eitan
eitan Posts: 9
First Comment
edited April 2021 in Security

above are specs for jobs 1 and 2 USG40 has to be configured for.

Hi 
Background:
After exhaustive research I purchased a USG40. My skill set is at the RV042 level that I want to replace because it can not, readily, NAT outbound over a site to site VPN. The RV, presently, has three jobs. 1 It port forwards to an HTTP SSLed nginx server which directs traffic to and from 3 webservers behind it; 2 it port forwards to other servers for various services. Finally, at number 3, it is running a site to site VPN tunnel. This RV has worked well until now. However as mentioned above the RV no longer meets my VPN needs.

Problem: 
I am failing to replicate the same setup with the USG40. My first priority is (1) reaching my webservers (HTTPS nginx and webservers) from outside the network. My second (2) priority is to be able to access other servers/services (currently port forwarded with RV). My last priority (3) is to recreated the site to site VPN.

Thanks in advance
Eitan

Best Answers

  • eitan
    eitan Posts: 9
    First Comment
    Answer ✓
    I am sorry I have been away on another project. I solved the above scenario by port forwarding to the nginx machine both 443 and 80. And then I created a security policy for traffic arriving at 209.183.24.195 to be allowed to the nginx machine on both ports 80 and 443. I did the same for 192.168.1.134 and other servers behind the zywall. 
  • eitan
    eitan Posts: 9
    First Comment
    edited January 2019 Answer ✓

    Hi Charlie,
    Thank you.
    209.183.24.195 is my peer IP, 7.7.7.7 is my partner's Peer IP (both public).
    SNAT on VPN form - instead of 1:1 NAT 216.254.177.194 with 192.168.1.3 ?
    what about route policy?

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Hi @eitan

    Can you show to us your USG40 configuration?
  • eitan
    eitan Posts: 9
    First Comment
    Thank you for your interest. I will upload that tomorrow.
  • eitan
    eitan Posts: 9
    First Comment
    Answer ✓
    I am sorry I have been away on another project. I solved the above scenario by port forwarding to the nginx machine both 443 and 80. And then I created a security policy for traffic arriving at 209.183.24.195 to be allowed to the nginx machine on both ports 80 and 443. I did the same for 192.168.1.134 and other servers behind the zywall. 
  • eitan
    eitan Posts: 9
    First Comment
    thank you Alfonso. I need help with my next challenge and that is to create a site to site vpn. It has to be what cisco refers to as the extranet scenario. My parnter's company and my company want to establish a site to site vpn between two servers. The vpn is to be restricted to only allow two servers (two sockets) to communicate securely across the internet. One server  at my company the other at my partners'. We do not want to share subnets etc...
    i believe my peer ip is 209.183.24.195. I want to use 216.254.177.194 (which is my first usable public ip) as the vpn public ip for the the server at my location, internally my servers address is 192.168.1.3. Port to use on my server will be 2111. No internal IPs will be visible between the two companies.
    I will use my partner's peer public IP as  7.7.7.7, and the public ip, and port, of my partner's server as 6.6.6.6:2000 
    Thank you in advance
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    @eitan
    Regarding to your description,

    "only allow two servers (two sockets) to communicate", you may follow below steps as your reference.

    Firstly, if you only allow two servers (two sockets) to communicate via VPN, firstly, configure two server’IP address on remote and local policy.

    Moreover, the below steps can lead you configure that allow two servers to communicate with specific service via VPN.

    Create the Service for port 2111(TCP,UDP) and group (T/U) them.




    Create the server IP address


     

    Go to Security Policy, allow 192.168.1.3:2111


    Others will be blocked.


    The above information is an example, you need to configure the similar rules on both device. 

    If any question, you can private message configuration to me.

     Moreover, I want to confirm purpose that you want to use 7.7.7.7 to instead of peer public IP 209.183.24.195?

    Also, do you want to establish IPSec VPN connection? If so, you need to set SNAT rule for internal IP on VPN page.


    Charlie 

  • eitan
    eitan Posts: 9
    First Comment
    edited January 2019 Answer ✓

    Hi Charlie,
    Thank you.
    209.183.24.195 is my peer IP, 7.7.7.7 is my partner's Peer IP (both public).
    SNAT on VPN form - instead of 1:1 NAT 216.254.177.194 with 192.168.1.3 ?
    what about route policy?
  • eitan
    eitan Posts: 9
    First Comment
    Hi Charlie,
    Thank you.
    209.183.24.195 is my peer IP, 7.7.7.7 is my partner's Peer IP (both public).
    SNAT on VPN form - instead of 1:1 NAT 216.254.177.194 with 192.168.1.3 ?
    what about route policy?
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @eitan
    Since you create a new post, let's follow up the issue in the new thread. 
    site to site vpn - server to server (socket to socket) connection
    Charlie
  • eitan
    eitan Posts: 9
    First Comment
    This is the log that I am getting. VPN is not up. Does this shed any light on why VPN is down?

    The cookie pair is : 0x6eb5edcf4b9deb12 / 0x79e375ef7bd35569
    ISAKMP SA [EZMODE_VPN_STATIC] is disconnected
    The cookie pair is : 0x6eb5edcf4b9deb12 / 0x0000000000000000 [count=3]
    Tunnel [EZMODE_VPN_STATIC] Sending IKE request
    Send Main Mode request to [204.225.32.248]
    Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID]
    The cookie pair is : 0x79e375ef7bd35569 / 0x6eb5edcf4b9deb12 [count=2]
    Recv:[SA][VID][VID][VID]
    The cookie pair is : 0x6eb5edcf4b9deb12 / 0x79e375ef7bd35569 [count=2]
    Send:[KE][NONCE][PRV][PRV]
    Recv:[KE][NONCE][PRV][PRV]
    Send:[ID][HASH][NOTIFY:INITIAL_CONTACT]
    The cookie pair is : 0x444f0abe9631455c / 0xd2a01749c4f46170
    ISAKMP SA [EZMODE_VPN_STATIC] is disconnected
    Peer not reachable
    The cookie pair is : 0x444f0abe9631455c / 0xd2a01749c4f46170 [count=2]
    Send:[KE][NONCE][PRV][PRV]
    Recv:[KE][NONCE][PRV][PRV]
    Send:[ID][HASH][NOTIFY:INITIAL_CONTACT]
    The cookie pair is : 0x444f0abe9631455c / 0x0000000000000000 [count=3]
    Tunnel [EZMODE_VPN_STATIC] Sending IKE request
    Send Main Mode request to [204.225.32.248]
    Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID]
    The cookie pair is : 0xd2a01749c4f46170 / 0x444f0abe9631455c [count=2]
    Recv:[SA][VID][VID][VID]
    The cookie pair is : 0x956dcb3264441621 / 0x4e0c5b5a72b5aa03
    ISAKMP SA [EZMODE_VPN_STATIC] is disconnected

Security Highlight