Site to site with real Certificates on CGNAT
Guru Member
USG FLEX 200H V1.35(ABWV.0)
So yes any NAT is bad but there is something not right with FLEX H with real Certificates that works fine on old models.
Here is what works under IKEv2
VPN300 has link to mobile broadband by FWA510
it is nailed up to going to dnsip.no-ip.org
Certificate zyxel-router5.ddns.net
on the other end this connects too is a FLEX200 (non H) to my main internet
set to Dynamic Peer
Certificate zyxel-router6.ddns.net
both Certificates are under Vitalwerks Internet Solutions under DigiCert Global Root G2 which you must import to Trusted Certificates both sides
The above works.
Next I have FLEX 200 H have WAN 3 192.168.254.10
set to Dynamic Address
Certificate zyxel-router7.ddns.net
Responder Only
the other end USG60W LAN2 192.168.254.9
it is nailed up to going to 192.168.254.10
Certificate zyxel-router4.ddns.net
Now on zyxel-router4.ddns.net is Vitalwerks Internet Solutions under DigiCert Global Root G2 which you must import to FLEX H the other zyxel-router7.ddns.net is by ZeroSSL RSA Domain Secure Site under USERTrust RSA Certification Authority that needs to be imported to USG60W
And that works too!
But here is what don't work
VPN300 has link to mobile broadband by FWA510
it is nailed up to going to dnsip.no-ip.org
Certificate zyxel-router5.ddns.net
on the other end this connects too FLEX200 H to my main internet
set to Dynamic Peer
Certificate zyxel-router7.ddns.net
one side zyxel-router5.ddns.net is Vitalwerks Internet Solutions under DigiCert Global Root G2 which you must import to FLEX H the other zyxel-router7.ddns.net is by ZeroSSL RSA Domain Secure Site under USERTrust RSA Certification Authority that needs to be imported to VPN300
This fails and I have no idea why unless FLEX H is checking the IP is on a 10. IP but sees a 31. IP and fails it?
Can this be looked into thanks
Accepted Solution
-
So turns out it was the way I did something in my setup that causes this and so Fragments were being dropped by another firewall.🙄
0
All Replies
-
Hi @PeterUK
Let me draw a topology for the issue case:
FLEX H —— Internet —— ISP —— CGNAT —— FWA510 —— VPN300
Could you help to collect the event log on FLEX H and VPN300 for us to start the investigation? Also, please share the VPN configuration on both device with us.
Zyxel Melen0 -
Hi Melen
so yes that a topology as basic with the VPN300 doing the connecting out
here is the log from VPN300
2
2025-08-01 10:31:26
info
IKE
[AUTH] Send:[IDi][CERT][CERTREQ][AUTH][SAi2][TSi][TSr][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
10.57.3.204:4500
92.239.74.xx:4500
IKE_LOG
3
2025-08-01 10:31:26
info
IKE
The cookie pair is : 0x840d57f232fe4f37 / 0x5f1279161856ebce
10.57.3.204:4500
92.239.74.xx:4500
IKE_LOG
4
2025-08-01 10:31:25
info
IKE
[INIT] Recv:[SA][KE][NONCE][NOTIFY][NOTIFY][CERTREQ][NOTIFY][NOTIFY][VID][VID]
92.239.74.xx:500
10.57.3.204:500
IKE_LOG
5
2025-08-01 10:31:25
info
IKE
The cookie pair is : 0x5f1279161856ebce / 0x840d57f232fe4f37
92.239.74.xx:500
10.57.3.204:500
IKE_LOG
6
2025-08-01 10:31:25
info
IKE
[INIT] Send:[SAi1][KE][NONCE][NOTIFY][NOTIFY][VID][VID][VID][VID][VID]
10.57.3.204:500
92.239.74.xx:500
IKE_LOG
7
2025-08-01 10:31:25
info
IKE
Tunnel[test_flex200H_5G:test_flex200H_5G] Send IKEv2 request
10.57.3.204:500
92.239.74.xx:500
IKE_LOG
8
2025-08-01 10:31:25
info
IKE
The cookie pair is : 0x840d57f232fe4f37 / 0x0000000000000000 [count=2]
10.57.3.204:500
92.239.74.xx:500
IKE_LOG
9
2025-08-01 10:31:25
info
IKE
The tunnel [test_flex200H_5G] dns is updated successfully
IKE_LOG
13
2025-08-01 10:31:21
info
IKE
IKE SA [test_flex200H_5G] is disconnected
10.57.3.204:4500
92.239.74.xx:4500
IKE_LOG
14
2025-08-01 10:31:21
info
IKE
The cookie pair is : 0x764bf5e7b44f6c76 / 0x333a24c3444f1535
10.57.3.204:4500
92.239.74.xx:4500
IKE_LOG
19
2025-08-01 10:30:24
info
IKE
[AUTH] Send:[IDi][CERT][CERTREQ][AUTH][SAi2][TSi][TSr][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
10.57.3.204:4500
92.239.74.xx:4500
IKE_LOG
20
2025-08-01 10:30:24
info
IKE
The cookie pair is : 0x764bf5e7b44f6c76 / 0x333a24c3444f1535
10.57.3.204:4500
92.239.74.xx:4500
IKE_LOG
21
2025-08-01 10:30:24
info
IKE
[INIT] Recv:[SA][KE][NONCE][NOTIFY][NOTIFY][CERTREQ][NOTIFY][NOTIFY][VID][VID]
92.239.74.xx:500
10.57.3.204:500
IKE_LOG
22
2025-08-01 10:30:24
info
IKE
The cookie pair is : 0x333a24c3444f1535 / 0x764bf5e7b44f6c76
92.239.74.xx:500
10.57.3.204:500
IKE_LOG
23
2025-08-01 10:30:24
info
IKE
[INIT] Send:[SAi1][KE][NONCE][NOTIFY][NOTIFY][VID][VID][VID][VID][VID]
10.57.3.204:500
92.239.74.xx:500
IKE_LOG
24
2025-08-01 10:30:24
info
IKE
Tunnel[test_flex200H_5G:test_flex200H_5G] Send IKEv2 request
10.57.3.204:500
92.239.74.xx:500
IKE_LOG
25
2025-08-01 10:30:24
info
IKE
The cookie pair is : 0x764bf5e7b44f6c76 / 0x0000000000000000 [count=2]
10.57.3.204:500
92.239.74.xx:500
IKE_LOG
26
2025-08-01 10:30:24
info
IKE
The tunnel [test_flex200H_5G] dns is updated successfully
IKE_LOG0 -
So turns out it was the way I did something in my setup that causes this and so Fragments were being dropped by another firewall.🙄
0
Zyxel Employee
Categories
- All Categories
- 438 Beta Program
- 2.7K Nebula
- 188 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 454 USG FLEX H Series
- 303 Security Ideas
- 1.6K Switch
- 81 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 278 Service & License
- 435 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 91 Security Highlight
