usg40 as router, site to site vpn, with webservers behind it.

eitan

above are specs for jobs 1 and 2 USG40 has to be configured for.

Hi 
Background:
After exhaustive research I purchased a USG40. My skill set is at the RV042 level that I want to replace because it can not, readily, NAT outbound over a site to site VPN. The RV, presently, has three jobs. 1 It port forwards to an HTTP SSLed nginx server which directs traffic to and from 3 webservers behind it; 2 it port forwards to other servers for various services. Finally, at number 3, it is running a site to site VPN tunnel. This RV has worked well until now. However as mentioned above the RV no longer meets my VPN needs.

Problem: 
I am failing to replicate the same setup with the USG40. My first priority is (1) reaching my webservers (HTTPS nginx and webservers) from outside the network. My second (2) priority is to be able to access other servers/services (currently port forwarded with RV). My last priority (3) is to recreated the site to site VPN.

Thanks in advance
Eitan

eitan

I am sorry I have been away on another project. I solved the above scenario by port forwarding to the nginx machine both 443 and 80. And then I created a security policy for traffic arriving at 209.183.24.195 to be allowed to the nginx machine on both ports 80 and 443. I did the same for 192.168.1.134 and other servers behind the zywall. 

eitan

Hi Charlie,
Thank you.
209.183.24.195 is my peer IP, 7.7.7.7 is my partner's Peer IP (both public).
SNAT on VPN form - instead of 1:1 NAT 216.254.177.194 with 192.168.1.3 ?
what about route policy?

Alfonso

Hi @eitan

Can you show to us your USG40 configuration?

eitan

Thank you for your interest. I will upload that tomorrow.

eitan

I am sorry I have been away on another project. I solved the above scenario by port forwarding to the nginx machine both 443 and 80. And then I created a security policy for traffic arriving at 209.183.24.195 to be allowed to the nginx machine on both ports 80 and 443. I did the same for 192.168.1.134 and other servers behind the zywall. 

eitan

thank you Alfonso. I need help with my next challenge and that is to create a site to site vpn. It has to be what cisco refers to as the extranet scenario. My parnter's company and my company want to establish a site to site vpn between two servers. The vpn is to be restricted to only allow two servers (two sockets) to communicate securely across the internet. One server  at my company the other at my partners'. We do not want to share subnets etc...
i believe my peer ip is 209.183.24.195. I want to use 216.254.177.194 (which is my first usable public ip) as the vpn public ip for the the server at my location, internally my servers address is 192.168.1.3. Port to use on my server will be 2111. No internal IPs will be visible between the two companies.
I will use my partner's peer public IP as  7.7.7.7, and the public ip, and port, of my partner's server as 6.6.6.6:2000 
Thank you in advance

Zyxel_Charlie

@eitan
Regarding to your description,

"only allow two servers (two sockets) to communicate", you may follow below steps as your reference.

Firstly, if you only allow two servers (two sockets) to communicate via VPN, firstly, configure two server’IP address on remote and local policy.

Moreover, the below steps can lead you configure that allow two servers to communicate with specific service via VPN.

Create the Service for port 2111(TCP,UDP) and group (T/U) them.

Create the server IP address

 

Go to Security Policy, allow 192.168.1.3:2111

Others will be blocked.

The above information is an example, you need to configure the similar rules on both device. 

If any question, you can private message configuration to me.

 Moreover, I want to confirm purpose that you want to use 7.7.7.7 to instead of peer public IP 209.183.24.195?

Also, do you want to establish IPSec VPN connection? If so, you need to set SNAT rule for internal IP on VPN page.

Charlie 

eitan

Hi Charlie,
Thank you.
209.183.24.195 is my peer IP, 7.7.7.7 is my partner's Peer IP (both public).
SNAT on VPN form - instead of 1:1 NAT 216.254.177.194 with 192.168.1.3 ?
what about route policy?

eitan

Hi Charlie,
Thank you.
209.183.24.195 is my peer IP, 7.7.7.7 is my partner's Peer IP (both public).
SNAT on VPN form - instead of 1:1 NAT 216.254.177.194 with 192.168.1.3 ?
what about route policy?

Zyxel_Charlie

@eitan

Since you create a new post, let's follow up the issue in the new thread. 
site to site vpn - server to server (socket to socket) connection
Charlie

eitan

This is the log that I am getting. VPN is not up. Does this shed any light on why VPN is down?

The cookie pair is : 0x6eb5edcf4b9deb12 / 0x79e375ef7bd35569

ISAKMP SA [EZMODE_VPN_STATIC] is disconnected

The cookie pair is : 0x6eb5edcf4b9deb12 / 0x0000000000000000 [count=3]

Tunnel [EZMODE_VPN_STATIC] Sending IKE request

Send Main Mode request to [204.225.32.248]

Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID]

The cookie pair is : 0x79e375ef7bd35569 / 0x6eb5edcf4b9deb12 [count=2]

Recv:[SA][VID][VID][VID]

The cookie pair is : 0x6eb5edcf4b9deb12 / 0x79e375ef7bd35569 [count=2]

Send:[KE][NONCE][PRV][PRV]

Recv:[KE][NONCE][PRV][PRV]

Send:[ID][HASH][NOTIFY:INITIAL_CONTACT]

The cookie pair is : 0x444f0abe9631455c / 0xd2a01749c4f46170

ISAKMP SA [EZMODE_VPN_STATIC] is disconnected

Peer not reachable

The cookie pair is : 0x444f0abe9631455c / 0xd2a01749c4f46170 [count=2]

Send:[KE][NONCE][PRV][PRV]

Recv:[KE][NONCE][PRV][PRV]

Send:[ID][HASH][NOTIFY:INITIAL_CONTACT]

The cookie pair is : 0x444f0abe9631455c / 0x0000000000000000 [count=3]

Tunnel [EZMODE_VPN_STATIC] Sending IKE request

Send Main Mode request to [204.225.32.248]

Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID]

The cookie pair is : 0xd2a01749c4f46170 / 0x444f0abe9631455c [count=2]

Recv:[SA][VID][VID][VID]

The cookie pair is : 0x956dcb3264441621 / 0x4e0c5b5a72b5aa03

ISAKMP SA [EZMODE_VPN_STATIC] is disconnected