ZyXEL SecuExtender "request configuration from the gateway"

nielsscheldeman
nielsscheldeman Posts: 51  Ally Member
First Comment Friend Collector Second Anniversary

I have a problem setting up Client 2 Site with IKEv2. On the firewall I already have a Site 2 Site with preshared key which works fine. I now want to add a client 2 site, but as long as the Site 2 Site is turned on, I cannot connect with Secu Extender, unless I turn off "Request configuration from the gateway"

This means that I get a 10.10.10.10. I can then access resources, but that means that I cannot apply Security policy on VPN Rules.

  • How can I deny cliënts to use their own configuration?
  • Why isn't the firewall selecting the right gateway for the client to site configuration?

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,527  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @nielsscheldeman,

    To better assist you, could you help to clarify some questions?

    1. What firmware, its firmware version, and SecuExtender, version you were using?
    2. Could you share your configuration so I can check for any configuration conflicts?
    3. I cannot connect with Secu Extender, unless I turn off "Request configuration from the gateway" May I know what option is the "Request configuration from the gateway"? Do you mean the "Get from server" feature on SecuExtender?
    4. How can I deny cliënts to use their own configuration? What is their own configuration?

    Zyxel Melen


  • nielsscheldeman
    nielsscheldeman Posts: 51  Ally Member
    First Comment Friend Collector Second Anniversary
    edited December 3

    Ok, before I answer your questions, I have made improvement, but still not how it has to be.

    Situation:

    • 1 Site to Site VPN-Gateway / VPN Connection
    • 1 Client to Site VPN-Gateway / VPN Connection

    Both IKEv2

    If I make Site to Site VPN-Gateway / VPN Connection with static peer, I am able to also connect my client to site connection.

    If I make Site to Site with Dynamic peer, I am unable to connect my client to site connection unless I say in SecuExtender client on laptop under Traffic Selectors "request configuration from the gateway", but then client decides which IP it gets. It then tries to connect to wrong gateway.

    But I cannot make the site to site VPN with static peer, because the other side is dynamic IP.

    How do I tell the firewall that incoming client to site connection has to be used on the other gateway? I use 2 gateways because site to site is with preshared key and client to site is with self signed certificate and connected with AD. I don't see where for example I can use another port.

    So in short: my client to site vpn tries to connect to the wrong gateway if I tell the site 2 site that it has to be used with dynamic peer.

    Extra update: Pretty close to decent solution: If I select a little different encryption(SHA512 instead of SHA256), so encryption on both gateways is a little different, then it works. But for bonuspoints, isn't there a solution to use exactly the same encryption and still get it to work that the firewall picks the right gateway on connection that's incoming?

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,527  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @nielsscheldeman,

    To investigate this issue better, please share the configuration you issued. You may send it to me via community message.

    Zyxel Melen


Security Highlight