IPSEC VPN behind a NAT

Fabio · January 6

I am try to setup an IPSEC VPN, between and USG 310 and USG 20W.

But the USG 20W is behind a NAT, because the internet provider give the service behind a NAT.

I try to setup but even in the NAT Traversal flag is on I cannot make it working.

Below the logs, do you you have any suggestion?

No. Date/Time Source Destination

Priority Category Note

Message

1 2025-01-06 09:38:59 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

The cookie pair is : 0x431ece11ac01c980 / 0xfc9cef460ae6c731

2 2025-01-06 09:38:59 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

Recv:[NOTIFY:NO_PROPOSAL_CHOSEN]

3 2025-01-06 09:38:59 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0xfc9cef460ae6c731 / 0x431ece11ac01c980

4 2025-01-06 09:38:59 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

ISAKMP SA [PayaStar] is disconnected

5 2025-01-06 09:38:59

notice system

Sending event/alert log to mail server has succeeded.

6 2025-01-06 09:40:28 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0x833e490ba2e3f3e9 / 0x0000000000000000 [count=3]

7 2025-01-06 09:40:28 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Tunnel [paya] Sending IKE request

8 2025-01-06 09:40:28 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send Main Mode request to [203.117.54.202]

9 2025-01-06 09:40:28 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]

10 2025-01-06 09:40:28 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

The cookie pair is : 0xd59f8c3e0e76ea0d / 0x833e490ba2e3f3e9

11 2025-01-06 09:40:28 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

Recv:[NOTIFY:NO_PROPOSAL_CHOSEN]

12 2025-01-06 09:40:28 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0x833e490ba2e3f3e9 / 0xd59f8c3e0e76ea0d

13 2025-01-06 09:40:28 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

ISAKMP SA [PayaStar] is disconnected

14 2025-01-06 09:41:54 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0xf5334550e670706c / 0x0000000000000000 [count=3]

15 2025-01-06 09:41:54 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Tunnel [paya] Sending IKE request

16 2025-01-06 09:41:54 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send Main Mode request to [203.117.54.202]

17 2025-01-06 09:41:54 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]

18 2025-01-06 09:41:54 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

The cookie pair is : 0x6091423411ec1ba0 / 0xf5334550e670706c

19 2025-01-06 09:41:54 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

Recv:[NOTIFY:NO_PROPOSAL_CHOSEN]

20 2025-01-06 09:41:54 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0xf5334550e670706c / 0x6091423411ec1ba0

21 2025-01-06 09:41:54 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

ISAKMP SA [PayaStar] is disconnected

22 2025-01-06 09:43:23 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0x12718d3919ea8059 / 0x0000000000000000 [count=3]

23 2025-01-06 09:43:23 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Tunnel [paya] Sending IKE request

24 2025-01-06 09:43:23 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send Main Mode request to [203.117.54.202]

25 2025-01-06 09:43:23 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]

26 2025-01-06 09:43:23 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

The cookie pair is : 0x2eb204a84ea60393 / 0x12718d3919ea8059

27 2025-01-06 09:43:23 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

Recv:[NOTIFY:NO_PROPOSAL_CHOSEN]

28 2025-01-06 09:43:23 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0x12718d3919ea8059 / 0x2eb204a84ea60393

29 2025-01-06 09:43:23 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

ISAKMP SA [PayaStar] is disconnected

30 2025-01-06 09:44:49 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0x7ff1e57d9b847c6a / 0x0000000000000000 [count=3]

31 2025-01-06 09:44:49 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Tunnel [paya] Sending IKE request

32 2025-01-06 09:44:49 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send Main Mode request to [203.117.54.202]

33 2025-01-06 09:44:49 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]

34 2025-01-06 09:44:49 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

The cookie pair is : 0x69c5a0d61099cc51 / 0x7ff1e57d9b847c6a

35 2025-01-06 09:44:49 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

Recv:[NOTIFY:NO_PROPOSAL_CHOSEN]

36 2025-01-06 09:44:49 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0x7ff1e57d9b847c6a / 0x69c5a0d61099cc51

37 2025-01-06 09:44:49 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

ISAKMP SA [PayaStar] is disconnected

38 2025-01-06 09:46:18 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0x21c03f42a060f531 / 0x0000000000000000 [count=3]

39 2025-01-06 09:46:18 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Tunnel [paya] Sending IKE request

40 2025-01-06 09:46:18 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send Main Mode request to [203.117.54.202]

41 2025-01-06 09:46:18 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]

42 2025-01-06 09:46:18 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

The cookie pair is : 0x5ed2fefe9c44a539 / 0x21c03f42a060f531

43 2025-01-06 09:46:18 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

Recv:[NOTIFY:NO_PROPOSAL_CHOSEN]

44 2025-01-06 09:46:18 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0x21c03f42a060f531 / 0x5ed2fefe9c44a539

45 2025-01-06 09:46:18 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

ISAKMP SA [PayaStar] is disconnected

46 2025-01-06 09:47:44 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0x84c470f485860481 / 0x0000000000000000 [count=3]

47 2025-01-06 09:47:44 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Tunnel [paya] Sending IKE request

48 2025-01-06 09:47:44 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send Main Mode request to [203.117.54.202]

49 2025-01-06 09:47:44 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]

50 2025-01-06 09:47:44 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

The cookie pair is : 0x522f2f1530f77184 / 0x84c470f485860481

51 2025-01-06 09:47:44 203.117.54.202:500 172.31.131.146:500

info ike IKE_LOG

Recv:[NOTIFY:NO_PROPOSAL_CHOSEN]

52 2025-01-06 09:47:44 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

The cookie pair is : 0x84c470f485860481 / 0x522f2f1530f77184

53 2025-01-06 09:47:44 172.31.131.146:500 203.117.54.202:500

info ike IKE_LOG

ISAKMP SA [PayaStar] is disconnected

Zyxel_Melen · January 7

Hi @Fabio,

Please check:

What IP address did you set for the Security gateway on USG310?
Did you set port forwarding on the router which is USG20W's uplink device?

In addition, you may reference the configuration guide in handbook P74 How to Configure IPSec Site to Site VPN while one Site is behind a NAT router:

ATP800_ZLD5.31_Handbook.pdf

P.S. The concepts are the same

Fabio · January 7

I set the USG 310 for VPN with Dynamic peer because I cannot have a fixed IP on the USG20W. My network provider provides the NAT, which gives an internal address to my ZyXEL (CGNAT).
I cannot set the port forwarding on the NAT device.

Is it possible to have a VPN using those limits? I cannot change my internet provider.

Thank you for any suggestions.