Certificate site to site not working?

PeterUK
PeterUK Posts: 3,326  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary

USG FLEX 200H V1.21(ABWV.0)

So I have non H Flex200 with USG60W working with Certificate site to site but can't seem to get USG60W with Flex200H working:

USG60W is set with Phase 1 Certificate zyxel-router4.ddns.net and have imported zyxel-router7.ddns.net to trusted Certificate
Flex200H is set with Phase 1 Certificate zyxel-router7.ddns.net and have imported zyxel-router4.ddns.net to trusted Certificate


from USG60W

4 23/07/24 16:37 info IKE IKE SA [GWtoflex200H_local] is disconnected 192.168.254.9:500   192.168.254.10:500     IKE_LOG
5 23/07/24 16:37 info IKE Dynamic Tunnel [GWtoflex200H_local:GWtoflex200H_local2:0xcc913d0b] built successfully 192.168.254.9:500   192.168.254.10:500     IKE_LOG
6 23/07/24 16:37 info IKE [ESP aes-cbc|hmac-sha1-96][SPI 0x7d96285b|0xcc913d0b][Lifetime 200] 192.168.254.9:500   192.168.254.10:500     IKE_LOG
7 23/07/24 16:37 info IKE [Policy: ipv4(192.168.252.0-192.168.253.255)-ipv4(192.168.255.64-192.168.255.79)] 192.168.254.9:500   192.168.254.10:500     IKE_LOG
8 23/07/24 16:37 info IKE [Responder:192.168.254.9][Initiator:192.168.254.10] 192.168.254.9:500   192.168.254.10:500     IKE_LOG
9 23/07/24 16:37 info IKE IKE SA negotiation process done 192.168.254.9:500   192.168.254.10:500     IKE_LOG
10 23/07/24 16:37 info IKE [AUTH] Send:[IDr][CERT][AUTH][SAr2][TSi][TSr][NOTIFY][NOTIFY] 192.168.254.9:500   192.168.254.10:500     IKE_LOG
11 23/07/24 16:37 info IKE Recv TSi: ipv4(192.168.255.64-192.168.255.79), TSr: ipv4(192.168.252.0-192.168.253.255). 192.168.254.10:500   192.168.254.9:500     IKE_LOG
12 23/07/24 16:37 info IKE Recv IPSec sa: SA([0] protocol = ESP (3), spi_len = 4, spi = 0xcc913d0b, AES CBC key len = 128, HMAC-SHA1-96, No ESN; ). 192.168.254.10:500   192.168.254.9:500     IKE_LOG
13 23/07/24 16:37 info IKE [AUTH] Recv:[IDi][CERT][CERTREQ][AUTH][SA][TSi][TSr][NOTIFY][NOTIFY] 192.168.254.10:500   192.168.254.9:500     IKE_LOG
14 23/07/24 16:37 info IKE [INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID] 192.168.254.9:500   192.168.254.10:500     IKE_LOG
15 23/07/24 16:37 info IKE The cookie pair is : 0x56788ca90b2e5195 / 0x4dc83c4be0383a45 [count=8] 192.168.254.9:500   192.168.254.10:500     IKE_LOG
16 23/07/24 16:37 info IKE Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 128, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; ). 192.168.254.10:500   192.168.254.9:500     IKE_LOG
17 23/07/24 16:37 info IKE [INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY][NOTIFY][VID][VID] 192.168.254.10:500   192.168.254.9:500     IKE_LOG
18 23/07/24 16:37 info IKE Receiving IKEv2 request 192.168.254.10:500   192.168.254.9:500     IKE_LOG
19 23/07/24 16:37 info IKE The cookie pair is : 0x4dc83c4be0383a45 / 0x56788ca90b2e5195 [count=3] 192.168.254.10:500   192.168.254.9:500     IKE_LOG
from Flex200H

29 2024-07-23 16:37:33 IPSec VPN
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
192.168.254.10 192.168.254.9 500
30 2024-07-23 16:37:33 IPSec VPN
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
192.168.254.9 192.168.254.10 500
35 2024-07-23 16:37:31 IPSec VPN
generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
192.168.254.10 192.168.254.9 500
36 2024-07-23 16:37:31 IPSec VPN
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
192.168.254.10 192.168.254.9 500
37 2024-07-23 16:37:31 IPSec VPN
configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
192.168.254.10 192.168.254.9 500
38 2024-07-23 16:37:31 IPSec VPN
received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
192.168.254.9 192.168.254.10 500
39 2024-07-23 16:37:31 IPSec VPN
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HTTP_CERT_LOOK) CERTREQ V V V V V ]
192.168.254.9 192.168.254.10 500
40 2024-07-23 16:37:31 IPSec VPN
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V V ]
192.168.254.10 192.168.254.9 500
41 2024-07-23 16:37:31 IPSec VPN
initiating IKE_SA TuneltoUSG60W_local3[19] to 192.168.254.9
192.168.254.10 192.168.254.9 500
42 2024-07-23 16:37:31 IPSec VPN
IKE_SA: TuneltoUSG60W_local3, resolve other: 192.168.254.9
0.0.0.0 0.0.0.0 0
43 2024-07-23 16:37:30 IPSec VPN
In trap, IKE_SA: TuneltoUSG60W_local3, resolve other: 192.168.254.9
0.0.0.0 0.0.0.0 0

Accepted Solution

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    update2

    Ok so their is a big change on the FLEX H when it comes to  trusted Certificate on older models you can import your Certificate with USG showing as "incomplete path" and it works

    With Flex H you can't get a way with that and must install intermediate Certification and Root

    in order to get this

    Then the VPN site to site works

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 26

    update So I now test with the following to Certificate to rule out DNS:

    USG60W is set with Phase 1 Certificate dnsip1.ddns.net and have imported dnsip11.ddns.net to trusted Certificate

    Flex200H is set with Phase 1 Certificate dnsip11.ddns.net and have imported dnsip1.ddns.net to trusted Certificate

    DNS internally dnsip1.ddns.net 192.168.254.9

    DNS internally dnsip11.ddns.net 192.168.254.10

    I did Certificates IP and that worked then did

    USG60W is set with Phase 1 IP 192.168.254.9 Certificate and have imported dnsip11.ddns.net to trusted Certificate

    with

    Flex200H is set with Phase 1 Certificate dnsip11.ddns.net and have imported IP 192.168.254.9 Certificate to trusted Certificate

    That works

    But it seems the FLEX200H is not accepting the USG60W Certificate of dnsip1.ddns.net

    USG60W is set with Phase 1 dnsip1.ddns.net Certificate and have imported dnsip11.ddns.net to trusted Certificate

    with

    Flex200H is set with Phase 1 Certificate dnsip11.ddns.net and have imported dnsip1.ddns.net Certificate to trusted Certificate

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    update2

    Ok so their is a big change on the FLEX H when it comes to  trusted Certificate on older models you can import your Certificate with USG showing as "incomplete path" and it works

    With Flex H you can't get a way with that and must install intermediate Certification and Root

    in order to get this

    Then the VPN site to site works