IKEv1 and IKEv2 many tunnels issues
Guru Member
USG FLEX 200H V1.21(ABWV.0)ITS-24WK35-0813-240800592
I have not fully tested traffic down the tunnels just going by status
The test was between the FLEX200H and USG40 for three tunnels with each Phase 1 encryption being different AES128, 192 and 256
Test one FLEX200H IKEv1 all three tunnels nailed up to to connect to USG40
Pass
Test two USG40 IKEv1 all three tunnels nailed up to to connect to FLEX200H Responder Only
only one tunnel connects
Test three FLEX200H IKEv2 all three tunnels nailed up to to connect to USG40
Pass
Test four USG40 IKEv2 all three tunnels nailed up to to connect to FLEX200H Responder Only
Pass but USG40 shows all three up but FLEX200H status show one but enabling one tunnel at a time then shows all up
All Replies
-
Hi @PeterUK,
Can I use the configuration you sent to me, DNS tunnels, to clarify this issue?
0 -
I send you the config for testing later to day
0 -
Hi @PeterUK,
Please correct me if my guess is wrong.
According to your configuration, it seems like you have many subnets that need to communicate via the tunnel. Since the H series differs from the ZLD firewall, we recommend using the VTI/route-based VPN for this scenario.
Currently, the behavior of the H series will only hit the first rule when the H series is the responder-only role.
0 -
No you should be able to have many tunnels at each end point as long as Phase 1 encryption is different per tunnel.
As said for IKEv2 you can have either end nailed up and all tunnels connect fine (aside from if USG40 side nails up and status on FLEX200H incorrect) for IKEv1 only the USG40 can get all tunnels up if FLEX200H is nailed up to it not the other way round which is a problem and is on the FLEX200H side.
0 -
Hi @PeterUK,
Thanks for pointing out the difference that I missed. After further checking with our team, we found that your configuration lacks local ID and remote ID. This will help identify the VPN tunnel for this scenario.
0 -
No you don't need local ID and remote ID for this to work like I said IKEv2 nailed up three tunnels one side or the other will all work its just the IKEv1 on FLEX200H side (being responder-only) that is not handling many tunnels per each difference Phase 1 encryption you can check this with Non H FLEX/USG models .
0 -
Hi @PeterUK
This is due to different mechanisms. uOS uses IPremote[IDremote]-IPlocal[IDlocal] to compare VPN tunnel. That's why you find it is different from the ZLD. Since the previous cases were both three VPN tunnels using IPusg40[any]-IP200H[any], you may set the ID on the nailed-up side to make them different.
0 -
I don't think thats the case here I think IKEv1 has not been coded when I tunnel connection comes in to view the FLEX200H Phase 1 encryption being different to allow many tunnels each with a different encryption.
The FLEX200H is not the nailed-up side
Like I say the IKEv2 on the FLEX200H when the tunnel comes in checks Phase 1 encryption to allow different tunnels each with a different encryption without local ID and remote ID set
0 -
So after bring this up in case #471441 even with Local/Remote ID their is a problem with IKEv1
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
