VPN Configuration on Zyxel USG FLEX 700

Options
cmanley
cmanley Posts: 14  Freshman Member
First Anniversary 10 Comments
edited February 8 in Security

I am configuring and IPSec VPN on this router and each time, I get this error in the logs.

The highlighted line is where I am having the issue. That tunnel is another VPN I have configured on the router that is working for something else. I am not sure why this new VPN is trying to use that tunnel for authentication. It has a policy mismatch, because it is configured different because it is used for something else.

Here is the correct gateway.

Here is the VPN using that gateway.

So what is causing it to try to authenticate with this Tunnel?

UPDATE: If I change my phase 2 encapsulation setting to "transport" I get this error:

Firmware version: V5.37(ABWD.1)

«1

All Replies

  • PeterUK
    PeterUK Posts: 2,994  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    Change Local policy to 0.0.0.0

  • cmanley
    cmanley Posts: 14  Freshman Member
    First Anniversary 10 Comments
    Options

    No luck. I get the same error. Phase 1 works no problem, but it seems to continue to try and authenticate phase 2 with the wrong VPN.

  • PeterUK
    PeterUK Posts: 2,994  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    If you have other IKEv1 tunnels on the same interface that can cause problems

  • cmanley
    cmanley Posts: 14  Freshman Member
    First Anniversary 10 Comments
    Options

    So, if I need multiple VPNs what is the solution?

  • PeterUK
    PeterUK Posts: 2,994  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    Not sure I think Phase 1 local ID and Peer ID type might be needed

    or you can try having IKEv2 for tunnels site to site and IKEv1 for Remote Access (Server Role)

  • cmanley
    cmanley Posts: 14  Freshman Member
    First Anniversary 10 Comments
    Options

    I wish I could figure out what exactly these errors mean. Phase 1 seems to work fine.

  • PeterUK
    PeterUK Posts: 2,994  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    Have you setup L2TP VPN for the server role?

  • cmanley
    cmanley Posts: 14  Freshman Member
    First Anniversary 10 Comments
    Options

    This?

  • PeterUK
    PeterUK Posts: 2,994  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    So testing here Phase 1 local ID and Peer ID type don't allow more then one type of VPN on the same interface but if you do site to site as IKEv2 with a IKEv1 server role that works

  • PeterUK
    PeterUK Posts: 2,994  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    also on the same interface with IKEv1 you can have site to site by Pre-Shared Key and  server role by Certificate

Security Highlight