Site to site with real Certificates on CGNAT

Options
PeterUK
PeterUK Posts: 3,910  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary

USG FLEX 200H V1.35(ABWV.0)

So yes any NAT is bad but there is something not right with FLEX H with real Certificates that works fine on old models.

Here is what works under IKEv2
VPN300 has link to mobile broadband by FWA510
it is nailed up to going to dnsip.no-ip.org
Certificate zyxel-router5.ddns.net
on the other end this connects too is a FLEX200 (non H) to my main internet
set to Dynamic Peer
Certificate zyxel-router6.ddns.net

both Certificates are under Vitalwerks Internet Solutions under DigiCert Global Root G2 which you must import to Trusted Certificates both sides

The above works.

Next I have FLEX 200 H have WAN 3 192.168.254.10
set to Dynamic Address
Certificate zyxel-router7.ddns.net
Responder Only
the other end USG60W LAN2 192.168.254.9
it is nailed up to going to 192.168.254.10
Certificate zyxel-router4.ddns.net

Now on zyxel-router4.ddns.net is Vitalwerks Internet Solutions under DigiCert Global Root G2 which you must import to FLEX H the other zyxel-router7.ddns.net is by ZeroSSL RSA Domain Secure Site under USERTrust RSA Certification Authority that needs to be imported to USG60W

And that works too!

But here is what don't work

VPN300 has link to mobile broadband by FWA510
it is nailed up to going to dnsip.no-ip.org
Certificate zyxel-router5.ddns.net
on the other end this connects too FLEX200 H to my main internet
set to Dynamic Peer
Certificate zyxel-router7.ddns.net

one side zyxel-router5.ddns.net is Vitalwerks Internet Solutions under DigiCert Global Root G2 which you must import to FLEX H the other zyxel-router7.ddns.net is by ZeroSSL RSA Domain Secure Site under USERTrust RSA Certification Authority that needs to be imported to VPN300

This fails and I have no idea why unless FLEX H is checking the IP is on a 10. IP but sees a 31. IP and fails it?

Can this be looked into thanks

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,567  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @PeterUK

    Let me draw a topology for the issue case:

    FLEX H —— Internet —— ISP —— CGNAT —— FWA510 —— VPN300

    Could you help to collect the event log on FLEX H and VPN300 for us to start the investigation? Also, please share the VPN configuration on both device with us.

    Zyxel Melen


  • PeterUK
    PeterUK Posts: 3,910  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Hi Melen

    so yes that a topology as basic with the VPN300 doing the connecting out

    here is the log from VPN300

    2
    2025-08-01 10:31:26
    info
    IKE
    [AUTH] Send:[IDi][CERT][CERTREQ][AUTH][SAi2][TSi][TSr][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
    10.57.3.204:4500

    92.239.74.xx:4500


    IKE_LOG
    3
    2025-08-01 10:31:26
    info
    IKE
    The cookie pair is : 0x840d57f232fe4f37 / 0x5f1279161856ebce
    10.57.3.204:4500

    92.239.74.xx:4500


    IKE_LOG
    4
    2025-08-01 10:31:25
    info
    IKE
    [INIT] Recv:[SA][KE][NONCE][NOTIFY][NOTIFY][CERTREQ][NOTIFY][NOTIFY][VID][VID]
    92.239.74.xx:500

    10.57.3.204:500


    IKE_LOG
    5
    2025-08-01 10:31:25
    info
    IKE
    The cookie pair is : 0x5f1279161856ebce / 0x840d57f232fe4f37
    92.239.74.xx:500

    10.57.3.204:500


    IKE_LOG
    6
    2025-08-01 10:31:25
    info
    IKE
    [INIT] Send:[SAi1][KE][NONCE][NOTIFY][NOTIFY][VID][VID][VID][VID][VID]
    10.57.3.204:500

    92.239.74.xx:500


    IKE_LOG
    7
    2025-08-01 10:31:25
    info
    IKE
    Tunnel[test_flex200H_5G:test_flex200H_5G] Send IKEv2 request
    10.57.3.204:500

    92.239.74.xx:500


    IKE_LOG
    8
    2025-08-01 10:31:25
    info
    IKE
    The cookie pair is : 0x840d57f232fe4f37 / 0x0000000000000000 [count=2]
    10.57.3.204:500

    92.239.74.xx:500


    IKE_LOG
    9
    2025-08-01 10:31:25
    info
    IKE
    The tunnel [test_flex200H_5G] dns is updated successfully





    IKE_LOG
    13
    2025-08-01 10:31:21
    info
    IKE
    IKE SA [test_flex200H_5G] is disconnected
    10.57.3.204:4500

    92.239.74.xx:4500


    IKE_LOG
    14
    2025-08-01 10:31:21
    info
    IKE
    The cookie pair is : 0x764bf5e7b44f6c76 / 0x333a24c3444f1535
    10.57.3.204:4500

    92.239.74.xx:4500


    IKE_LOG
    19
    2025-08-01 10:30:24
    info
    IKE
    [AUTH] Send:[IDi][CERT][CERTREQ][AUTH][SAi2][TSi][TSr][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
    10.57.3.204:4500

    92.239.74.xx:4500


    IKE_LOG
    20
    2025-08-01 10:30:24
    info
    IKE
    The cookie pair is : 0x764bf5e7b44f6c76 / 0x333a24c3444f1535
    10.57.3.204:4500

    92.239.74.xx:4500


    IKE_LOG
    21
    2025-08-01 10:30:24
    info
    IKE
    [INIT] Recv:[SA][KE][NONCE][NOTIFY][NOTIFY][CERTREQ][NOTIFY][NOTIFY][VID][VID]
    92.239.74.xx:500

    10.57.3.204:500


    IKE_LOG
    22
    2025-08-01 10:30:24
    info
    IKE
    The cookie pair is : 0x333a24c3444f1535 / 0x764bf5e7b44f6c76
    92.239.74.xx:500

    10.57.3.204:500


    IKE_LOG
    23
    2025-08-01 10:30:24
    info
    IKE
    [INIT] Send:[SAi1][KE][NONCE][NOTIFY][NOTIFY][VID][VID][VID][VID][VID]
    10.57.3.204:500

    92.239.74.xx:500


    IKE_LOG
    24
    2025-08-01 10:30:24
    info
    IKE
    Tunnel[test_flex200H_5G:test_flex200H_5G] Send IKEv2 request
    10.57.3.204:500

    92.239.74.xx:500


    IKE_LOG
    25
    2025-08-01 10:30:24
    info
    IKE
    The cookie pair is : 0x764bf5e7b44f6c76 / 0x0000000000000000 [count=2]
    10.57.3.204:500

    92.239.74.xx:500


    IKE_LOG
    26
    2025-08-01 10:30:24
    info
    IKE
    The tunnel [test_flex200H_5G] dns is updated successfully





    IKE_LOG