ZyXEL SecuExtender "request configuration from the gateway"
I have a problem setting up Client 2 Site with IKEv2. On the firewall I already have a Site 2 Site with preshared key which works fine. I now want to add a client 2 site, but as long as the Site 2 Site is turned on, I cannot connect with Secu Extender, unless I turn off "Request configuration from the gateway"
This means that I get a 10.10.10.10. I can then access resources, but that means that I cannot apply Security policy on VPN Rules.
- How can I deny cliënts to use their own configuration?
- Why isn't the firewall selecting the right gateway for the client to site configuration?
All Replies
-
Hi @nielsscheldeman,
To better assist you, could you help to clarify some questions?
- What firmware, its firmware version, and SecuExtender, version you were using?
- Could you share your configuration so I can check for any configuration conflicts?
I cannot connect with Secu Extender, unless I turn off "Request configuration from the gateway"
May I know what option is the "Request configuration from the gateway"? Do you mean the "Get from server" feature on SecuExtender?How can I deny cliënts to use their own configuration?
What is their own configuration?
Zyxel Melen0 -
Ok, before I answer your questions, I have made improvement, but still not how it has to be.
Situation:
- 1 Site to Site VPN-Gateway / VPN Connection
- 1 Client to Site VPN-Gateway / VPN Connection
Both IKEv2
If I make Site to Site VPN-Gateway / VPN Connection with static peer, I am able to also connect my client to site connection.
If I make Site to Site with Dynamic peer, I am unable to connect my client to site connection unless I say in SecuExtender client on laptop under Traffic Selectors "request configuration from the gateway", but then client decides which IP it gets. It then tries to connect to wrong gateway.
But I cannot make the site to site VPN with static peer, because the other side is dynamic IP.
How do I tell the firewall that incoming client to site connection has to be used on the other gateway? I use 2 gateways because site to site is with preshared key and client to site is with self signed certificate and connected with AD. I don't see where for example I can use another port.
So in short: my client to site vpn tries to connect to the wrong gateway if I tell the site 2 site that it has to be used with dynamic peer.
Extra update: Pretty close to decent solution: If I select a little different encryption(SHA512 instead of SHA256), so encryption on both gateways is a little different, then it works. But for bonuspoints, isn't there a solution to use exactly the same encryption and still get it to work that the firewall picks the right gateway on connection that's incoming?
0 -
Hi @nielsscheldeman,
To investigate this issue better, please share the configuration you issued. You may send it to me via community message.
Zyxel Melen0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 251 USG FLEX H Series
- 270 Security Ideas
- 1.4K Switch
- 72 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight