VPN not working any more after reboot

StefanZ
StefanZ Posts: 202  Master Member
First Comment First Answer Friend Collector Community MVP
edited February 2024 in Security

I don't know what it is, but my Flex200 seems haunted!

It was up for 3 months and today I reboot it and suddenly two VPNs are not working any more. That's especially "great" since it's the last day of the month any everyone needs to enter their hours for billing…

The two failing VPNs are IKEv2 with certs.

I have a 3rd, working one that is exactly like the failing ones, except a different cert.

The log only shows ONE difference:
The failing connections phase-1 has one more [NOTIFY] than the successful one.
At least sometimes.

[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY][NOTIFY]

I also updated from V5.37(ABUI.1) to V5.37(ABUI.2).
No change.

There are also 4 static tunnels from my F50 to the F200 – disabling those does nothing.

The two failing connections even go to different IPs on different WANs – both worked up until the reboot.

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,503  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Maybe test with Pre-Shared Key on both ends

  • StefanZ
    StefanZ Posts: 202  Master Member
    First Comment First Answer Friend Collector Community MVP

    This is what Graylog receives in Debug Mode.
    (Yes, ending in "negotiation failed:" and then not following up with anything sure is cool)

    IKv2_Fail.jpg

  • StefanZ
    StefanZ Posts: 202  Master Member
    First Comment First Answer Friend Collector Community MVP
    https://community.zyxel.com/en/discussion/comment/62621#Comment_62621

    That won't help the VPN users, since they are not admins and get an OSX .mobileconfig file installed.

  • StefanZ
    StefanZ Posts: 202  Master Member
    First Comment First Answer Friend Collector Community MVP

    I just compared the two config files:

    #1 is before reboot and update
    #2 is from after reboot and update

    They are the same file, no differences that are notable except the date and one setting I changed.

  • StefanZ
    StefanZ Posts: 202  Master Member
    First Comment First Answer Friend Collector Community MVP

    Making new VPN gateways / connections fails with the same result.
    - I got a new DDNS for a free WAN IP
    - Made a new cert for the DDNS
    - New IKEv2 cert VPN gateway and connection

    Neither AES128 | SH256 with DH2, DH14, DH21 (OSX pre-Sonoma)
    nor AESA256 | SHA256 with DH19 (OSX Sonoma)
    manage to do anything beyond giving the same error.

    Message: Crypto operation failed (65539)

  • PeterUK
    PeterUK Posts: 3,503  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited February 2024

    I take it the cert is valid in date?

    maybe a update on the client side OS has caused this? can you test by windows or StrongSwan

  • StefanZ
    StefanZ Posts: 202  Master Member
    First Comment First Answer Friend Collector Community MVP

    Yes they are.

    But I just realized:
    It's February 29th!

    What are the odds, that might be the problem?

  • PeterUK
    PeterUK Posts: 3,503  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited February 2024

    Well I tested here locally with a DDNS cert IKEv2 on FLEX200 as server role connects OK by windows

  • StefanZ
    StefanZ Posts: 202  Master Member
    First Comment First Answer Friend Collector Community MVP

    Thanks for testing!

    I am not imagining this… 3 Months of nonstop working well (except having to add a new gateway for OSX Sonoma) and then on restart it all goes to crap…

    This is gonna be a "fun" weekend…

  • mMontana
    mMontana Posts: 1,399  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    Coffee for @StefanZ

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)