Certificate site to site not working?

PeterUK
PeterUK Posts: 3,118  Guru Member
Community MVP 2500 Comments Sixth Anniversary 100 Answers
in USG FLEX H Series

USG FLEX 200H V1.21(ABWV.0)

So I have non H Flex200 with USG60W working with Certificate site to site but can't seem to get USG60W with Flex200H working:

USG60W is set with Phase 1 Certificate zyxel-router4.ddns.net and have imported zyxel-router7.ddns.net to trusted Certificate
Flex200H is set with Phase 1 Certificate zyxel-router7.ddns.net and have imported zyxel-router4.ddns.net to trusted Certificate



from USG60W


4	23/07/24 16:37	info	IKE	IKE SA [GWtoflex200H_local] is disconnected	192.168.254.9:500	 	192.168.254.10:500	 	 	IKE_LOG

5	23/07/24 16:37	info	IKE	Dynamic Tunnel [GWtoflex200H_local:GWtoflex200H_local2:0xcc913d0b] built successfully	192.168.254.9:500	 	192.168.254.10:500	 	 	IKE_LOG

6	23/07/24 16:37	info	IKE	[ESP aes-cbc|hmac-sha1-96][SPI 0x7d96285b|0xcc913d0b][Lifetime 200]	192.168.254.9:500	 	192.168.254.10:500	 	 	IKE_LOG

7	23/07/24 16:37	info	IKE	[Policy: ipv4(192.168.252.0-192.168.253.255)-ipv4(192.168.255.64-192.168.255.79)]	192.168.254.9:500	 	192.168.254.10:500	 	 	IKE_LOG

8	23/07/24 16:37	info	IKE	[Responder:192.168.254.9][Initiator:192.168.254.10]	192.168.254.9:500	 	192.168.254.10:500	 	 	IKE_LOG

9	23/07/24 16:37	info	IKE	IKE SA negotiation process done	192.168.254.9:500	 	192.168.254.10:500	 	 	IKE_LOG

10	23/07/24 16:37	info	IKE	[AUTH] Send:[IDr][CERT][AUTH][SAr2][TSi][TSr][NOTIFY][NOTIFY]	192.168.254.9:500	 	192.168.254.10:500	 	 	IKE_LOG

11	23/07/24 16:37	info	IKE	Recv TSi: ipv4(192.168.255.64-192.168.255.79), TSr: ipv4(192.168.252.0-192.168.253.255).	192.168.254.10:500	 	192.168.254.9:500	 	 	IKE_LOG

12	23/07/24 16:37	info	IKE	Recv IPSec sa: SA([0] protocol = ESP (3), spi_len = 4, spi = 0xcc913d0b, AES CBC key len = 128, HMAC-SHA1-96, No ESN; ).	192.168.254.10:500	 	192.168.254.9:500	 	 	IKE_LOG

13	23/07/24 16:37	info	IKE	[AUTH] Recv:[IDi][CERT][CERTREQ][AUTH][SA][TSi][TSr][NOTIFY][NOTIFY]	192.168.254.10:500	 	192.168.254.9:500	 	 	IKE_LOG

14	23/07/24 16:37	info	IKE	[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID]	192.168.254.9:500	 	192.168.254.10:500	 	 	IKE_LOG

15	23/07/24 16:37	info	IKE	The cookie pair is : 0x56788ca90b2e5195 / 0x4dc83c4be0383a45 [count=8]	192.168.254.9:500	 	192.168.254.10:500	 	 	IKE_LOG

16	23/07/24 16:37	info	IKE	Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 128, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; ).	192.168.254.10:500	 	192.168.254.9:500	 	 	IKE_LOG

17	23/07/24 16:37	info	IKE	[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY][NOTIFY][VID][VID]	192.168.254.10:500	 	192.168.254.9:500	 	 	IKE_LOG

18	23/07/24 16:37	info	IKE	Receiving IKEv2 request	192.168.254.10:500	 	192.168.254.9:500	 	 	IKE_LOG

19	23/07/24 16:37	info	IKE	The cookie pair is : 0x4dc83c4be0383a45 / 0x56788ca90b2e5195 [count=3]	192.168.254.10:500	 	192.168.254.9:500	 	 	IKE_LOG
from Flex200H


29	2024-07-23 16:37:33	IPSec VPN	

generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

192.168.254.10	192.168.254.9	500		

30	2024-07-23 16:37:33	IPSec VPN	

parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]

192.168.254.9	192.168.254.10	500		

35	2024-07-23 16:37:31	IPSec VPN	

generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

192.168.254.10	192.168.254.9	500		

36	2024-07-23 16:37:31	IPSec VPN	

selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

192.168.254.10	192.168.254.9	500		

37	2024-07-23 16:37:31	IPSec VPN	

configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

192.168.254.10	192.168.254.9	500		

38	2024-07-23 16:37:31	IPSec VPN	

received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

192.168.254.9	192.168.254.10	500		

39	2024-07-23 16:37:31	IPSec VPN	

parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HTTP_CERT_LOOK) CERTREQ V V V V V ]

192.168.254.9	192.168.254.10	500		

40	2024-07-23 16:37:31	IPSec VPN	

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V V ]

192.168.254.10	192.168.254.9	500		

41	2024-07-23 16:37:31	IPSec VPN	

initiating IKE_SA TuneltoUSG60W_local3[19] to 192.168.254.9

192.168.254.10	192.168.254.9	500		

42	2024-07-23 16:37:31	IPSec VPN	

IKE_SA: TuneltoUSG60W_local3, resolve other: 192.168.254.9

0.0.0.0	0.0.0.0	0		

43	2024-07-23 16:37:30	IPSec VPN	

In trap, IKE_SA: TuneltoUSG60W_local3, resolve other: 192.168.254.9

0.0.0.0	0.0.0.0	0

Accepted Solution

  • PeterUK
    PeterUK Posts: 3,118  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers
    Answer ✓

    update2

    Ok so their is a big change on the FLEX H when it comes to  trusted Certificate on older models you can import your Certificate with USG showing as "incomplete path" and it works

    Screenshot 2024-07-26 194031.png

    With Flex H you can't get a way with that and must install intermediate Certification and Root

    Screenshot 2024-07-26 194237.png

    in order to get this

    Screenshot 2024-07-26 194152.png

    Then the VPN site to site works

All Replies

  • PeterUK
    PeterUK Posts: 3,118  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers
    edited July 26

    update So I now test with the following to Certificate to rule out DNS:

    USG60W is set with Phase 1 Certificate dnsip1.ddns.net and have imported dnsip11.ddns.net to trusted Certificate

    Flex200H is set with Phase 1 Certificate dnsip11.ddns.net and have imported dnsip1.ddns.net to trusted Certificate

    DNS internally dnsip1.ddns.net 192.168.254.9

    DNS internally dnsip11.ddns.net 192.168.254.10

    I did Certificates IP and that worked then did

    USG60W is set with Phase 1 IP 192.168.254.9 Certificate and have imported dnsip11.ddns.net to trusted Certificate

    with

    Flex200H is set with Phase 1 Certificate dnsip11.ddns.net and have imported IP 192.168.254.9 Certificate to trusted Certificate

    That works

    But it seems the FLEX200H is not accepting the USG60W Certificate of dnsip1.ddns.net

    USG60W is set with Phase 1 dnsip1.ddns.net Certificate and have imported dnsip11.ddns.net to trusted Certificate

    with

    Flex200H is set with Phase 1 Certificate dnsip11.ddns.net and have imported dnsip1.ddns.net Certificate to trusted Certificate

  • PeterUK
    PeterUK Posts: 3,118  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers
    Answer ✓

    update2

    Ok so their is a big change on the FLEX H when it comes to  trusted Certificate on older models you can import your Certificate with USG showing as "incomplete path" and it works

    Screenshot 2024-07-26 194031.png

    With Flex H you can't get a way with that and must install intermediate Certification and Root

    Screenshot 2024-07-26 194237.png

    in order to get this

    Screenshot 2024-07-26 194152.png

    Then the VPN site to site works

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)