Certificate site to site not working?
USG FLEX 200H V1.21(ABWV.0)
So I have non H Flex200 with USG60W working with Certificate site to site but can't seem to get USG60W with Flex200H working:
USG60W is set with Phase 1 Certificate zyxel-router4.ddns.net and have imported zyxel-router7.ddns.net to trusted Certificate
Flex200H is set with Phase 1 Certificate zyxel-router7.ddns.net and have imported zyxel-router4.ddns.net to trusted Certificate
from USG60W
4 23/07/24 16:37 info IKE IKE SA [GWtoflex200H_local] is disconnected 192.168.254.9:500 192.168.254.10:500 IKE_LOG
5 23/07/24 16:37 info IKE Dynamic Tunnel [GWtoflex200H_local:GWtoflex200H_local2:0xcc913d0b] built successfully 192.168.254.9:500 192.168.254.10:500 IKE_LOG
6 23/07/24 16:37 info IKE [ESP aes-cbc|hmac-sha1-96][SPI 0x7d96285b|0xcc913d0b][Lifetime 200] 192.168.254.9:500 192.168.254.10:500 IKE_LOG
7 23/07/24 16:37 info IKE [Policy: ipv4(192.168.252.0-192.168.253.255)-ipv4(192.168.255.64-192.168.255.79)] 192.168.254.9:500 192.168.254.10:500 IKE_LOG
8 23/07/24 16:37 info IKE [Responder:192.168.254.9][Initiator:192.168.254.10] 192.168.254.9:500 192.168.254.10:500 IKE_LOG
9 23/07/24 16:37 info IKE IKE SA negotiation process done 192.168.254.9:500 192.168.254.10:500 IKE_LOG
10 23/07/24 16:37 info IKE [AUTH] Send:[IDr][CERT][AUTH][SAr2][TSi][TSr][NOTIFY][NOTIFY] 192.168.254.9:500 192.168.254.10:500 IKE_LOG
11 23/07/24 16:37 info IKE Recv TSi: ipv4(192.168.255.64-192.168.255.79), TSr: ipv4(192.168.252.0-192.168.253.255). 192.168.254.10:500 192.168.254.9:500 IKE_LOG
12 23/07/24 16:37 info IKE Recv IPSec sa: SA([0] protocol = ESP (3), spi_len = 4, spi = 0xcc913d0b, AES CBC key len = 128, HMAC-SHA1-96, No ESN; ). 192.168.254.10:500 192.168.254.9:500 IKE_LOG
13 23/07/24 16:37 info IKE [AUTH] Recv:[IDi][CERT][CERTREQ][AUTH][SA][TSi][TSr][NOTIFY][NOTIFY] 192.168.254.10:500 192.168.254.9:500 IKE_LOG
14 23/07/24 16:37 info IKE [INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID] 192.168.254.9:500 192.168.254.10:500 IKE_LOG
15 23/07/24 16:37 info IKE The cookie pair is : 0x56788ca90b2e5195 / 0x4dc83c4be0383a45 [count=8] 192.168.254.9:500 192.168.254.10:500 IKE_LOG
16 23/07/24 16:37 info IKE Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 128, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; ). 192.168.254.10:500 192.168.254.9:500 IKE_LOG
17 23/07/24 16:37 info IKE [INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY][NOTIFY][VID][VID] 192.168.254.10:500 192.168.254.9:500 IKE_LOG
18 23/07/24 16:37 info IKE Receiving IKEv2 request 192.168.254.10:500 192.168.254.9:500 IKE_LOG
19 23/07/24 16:37 info IKE The cookie pair is : 0x4dc83c4be0383a45 / 0x56788ca90b2e5195 [count=3] 192.168.254.10:500 192.168.254.9:500 IKE_LOG
from Flex200H
29 2024-07-23 16:37:33 IPSec VPN
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
192.168.254.10 192.168.254.9 500
30 2024-07-23 16:37:33 IPSec VPN
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
192.168.254.9 192.168.254.10 500
35 2024-07-23 16:37:31 IPSec VPN
generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
192.168.254.10 192.168.254.9 500
36 2024-07-23 16:37:31 IPSec VPN
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
192.168.254.10 192.168.254.9 500
37 2024-07-23 16:37:31 IPSec VPN
configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
192.168.254.10 192.168.254.9 500
38 2024-07-23 16:37:31 IPSec VPN
received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
192.168.254.9 192.168.254.10 500
39 2024-07-23 16:37:31 IPSec VPN
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HTTP_CERT_LOOK) CERTREQ V V V V V ]
192.168.254.9 192.168.254.10 500
40 2024-07-23 16:37:31 IPSec VPN
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V V ]
192.168.254.10 192.168.254.9 500
41 2024-07-23 16:37:31 IPSec VPN
initiating IKE_SA TuneltoUSG60W_local3[19] to 192.168.254.9
192.168.254.10 192.168.254.9 500
42 2024-07-23 16:37:31 IPSec VPN
IKE_SA: TuneltoUSG60W_local3, resolve other: 192.168.254.9
0.0.0.0 0.0.0.0 0
43 2024-07-23 16:37:30 IPSec VPN
In trap, IKE_SA: TuneltoUSG60W_local3, resolve other: 192.168.254.9
0.0.0.0 0.0.0.0 0
Accepted Solution
-
update2
Ok so their is a big change on the FLEX H when it comes to trusted Certificate on older models you can import your Certificate with USG showing as "incomplete path" and it works
With Flex H you can't get a way with that and must install intermediate Certification and Root
in order to get this
Then the VPN site to site works
1
All Replies
-
update So I now test with the following to Certificate to rule out DNS:
USG60W is set with Phase 1 Certificate dnsip1.ddns.net and have imported dnsip11.ddns.net to trusted Certificate
Flex200H is set with Phase 1 Certificate dnsip11.ddns.net and have imported dnsip1.ddns.net to trusted Certificate
DNS internally dnsip1.ddns.net 192.168.254.9
DNS internally dnsip11.ddns.net 192.168.254.10
I did Certificates IP and that worked then did
USG60W is set with Phase 1 IP 192.168.254.9 Certificate and have imported dnsip11.ddns.net to trusted Certificate
with
Flex200H is set with Phase 1 Certificate dnsip11.ddns.net and have imported IP 192.168.254.9 Certificate to trusted Certificate
That works
But it seems the FLEX200H is not accepting the USG60W Certificate of dnsip1.ddns.net
USG60W is set with Phase 1 dnsip1.ddns.net Certificate and have imported dnsip11.ddns.net to trusted Certificate
with
Flex200H is set with Phase 1 Certificate dnsip11.ddns.net and have imported dnsip1.ddns.net Certificate to trusted Certificate
0 -
update2
Ok so their is a big change on the FLEX H when it comes to trusted Certificate on older models you can import your Certificate with USG showing as "incomplete path" and it works
With Flex H you can't get a way with that and must install intermediate Certification and Root
in order to get this
Then the VPN site to site works
1
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight