IPSec VPN. Unstable, Requires reboot to reestablish tunnels.

jef

Not sure what category VPN is. Sorry if this is not in the correct part.

I have been fighting Zyxel IPSEC VPN for over a year.
Zyxel IPSEC/VPN is very unreliable.
The WebUI doesn't work well.
The CLI for the IKE is worse.

My scenario. I run 3 site to site tunnels.
  Tunnel 1: Zyxel USG Flex 700 to Sopho UTM  vLan10
  Tunnel 2: Zyxel USG Flex 700 to Sopho UTM  vLan11
    2 vlans (and since Zyxel doesn't do route based, I have 2 connections and 2 gateways pre Zyxel suggestions)
    I have tried 1 gateway and 2 connection.  Either configuration works and fails with the same randomness.

Tunnel 3: Zyxel   "  "       to Cisco

The tunnels work 95% of the time.
When they fail.  (almost daily, if they are stable for more then 3 days I start to worry).
3% of the time I can "fix" the tunnel by clicking "disconnect" webUI under the tunnel VPN Connection.
2% of the time I have to reboot the entire appliance. Post restart all tunnels function again.

The CLI only works when everything is working.  (crypto map activating or deactiving. vpn-service enable <no> )
When the IPSec VPN is failing / faltering,  trying anything using the CLI does nothing.

The WebUI. Might work.  when it doesn't, it is displays wrong (gray when green, green when gray, worthless web control ya know).
Activate, Inactivate.  Does not help.
connect, disconnect.   Does not help  (and the timer "dialer" on the connect, that needs to be written out).
Uncheck "Enable VPN Server".   Does not do anything. One would think it would stop the VPN service. NOPE.
Nothing I do will fix the VPN aside from rebooting the whole appliance.
I have tried for over a year.
I have made every config change Zyxel has suggested.
I am aware Zyxel only supports Zyxel to Zyxel, but that is NOT realistic.
I have changed the gates.  I have change which gate is the initiator.
Nothing makes the Zyxel vpn stable.
Yet these others (Cisco, Sophos) they do rock solid VPN, like it supposed to be.

Rebooting the firewall gateway is not a good solution.
Boot to fix IPSEC tunnels interrupts EVERYTHING.  
Everybody is my company knows the term Zyxel, it is synonymous for "internet is down".

Is there a way to shell into the linux so I can just restart the vpn service or something.
This problem is so frustrating, I hate this Zyxel firewall gateway, our whole IT looks like fools for continuing with it.

If anybody has a magic recipe for Zyxel to "other" ipsec vpn. I'll try anything at this point.

PeterUK

Are you using IKEv2?

Have you tried nailed up only by Zyxel side to Sopho UTM?

jef

Hello, I am not using IKE 2.
Yes have tried every combination of "nailed up" and "connectivity check" I or Zyxel support could think of.
Then we started mixing in which gateway is "Respond Only" and "Initiate", these (if I recall) are only choices in Sophos. Not configurable in the Zyxel.

Oddly, when the Zyxel messes up, It usually shows "connected" and "Active". (The silly light bulb and the green world icons), when the webUI can fix a failing tunnel, the "trick" is to click "disconnect" once, and nothing happens (green world still stays green), but the tunnel resumes.

When the tunnels are down in Zyxel and something shows "gray", it is basically unrecoverable without a reboot of the appliance. Clicking anything is pointless, like the "dialer" popup which you can't change the timeout. Nothing "clicked" changes anything. Even unchecking the box "Enable VPN service" doesn't change the state. It does on the webpage you have open, but if you call up the admin webpage in another browser, when the VPN page loads it, it will show differently then the console page you were using. "Refresh" and "Apply" do nothing.

Of the three branch offices connected. Only ever does the Zyxel site go off line, disconnecting from both.
Cisco to Sophos is stable.
Sophos to Cisco stable.

Here is the best part, we have a 2004 Cisco catalyst in the same building as the Zyxel.
It runs building services (door cards, parking, air handling systems) for the last 20 years.
It is on the same ISP as the zyxel.
It has 7 ipsec tunnels running, with up times over 2 year to satellite warehouses.
Which in my mind, vets the ISP.

jef

No IKE2.
Tried every combination of Nailed up and connectivity check I or Zyxel support could thing of.
No combination resolves the problem of needing to reboot the appliance when the VPN fails unrecoverably.

PeterUK

Are both ends have static IP with the firewalls having the WAN IP's?

Other traffic hitting the firewalls may cause problems (which would need to be investigated) so you could firewall WAN to Zywall from a given source by IP or FQDN of the connecting tunnel and do the same at the other end.

Of course this will not limit spoofed packets the only real way to be sure Zyxel USG Flex 700 to Sopho UTM is stable for a tunnel is in a local network

jef

Yes, both Gates have WanIP public facing IPs.
I would hope that if it was a traffic issue, it would not take a restart of the appliance to fix it.
It would show excessive traffic in the logs and on the cpu.
And the tunnels wouldn't fail to shutdown or restart through the webUI.

jef

I appreciate the ideas.