IPSec VPN Site-to-Site behind router

Options
Olympus
Olympus Posts: 1 image  Freshman Member
in USG FLEX H Series

Hello sir or madame, this is my problem. I have 3 buildings with 3 distinct types of connection:

  • [home]#A
    • Router#A FRITZ!Box 4040 (OS 08.03) connected to ONT
      • Router#1 - IP 192.168.198.60
      • DHCP server
      • Local Area Network 192.168.198.0/24
    • FTTH connection
  • [company]#B
    • Router#B FRITZ!Box 7560 (OS 07.30) connected to ONT
      • IP 192.168.199.70
      • No DHCP server because there is a domain controller
      • Local Network 192.168.199.0/24
    • FTTH connection with static Public IP
  • [house] #C
    • Router#C FRITZ!Box 6850LTE (OS 08.20) connected to LTE
      • IP 192.168.201.1
      • DHCP server
      • Local Network 192.168.201.0/24
    • LTE connection
    • Cascaded Zyxel USG FLEX 50H Firewall (uOS 1.37)
      • WAN side – IP 192.168.201.2 – Gateway 192.168.201.1
      • LAN side – IP 192.168.200.2 – Local Area Network 192.168.200.0/24

I would like to create 2 VPN tunnels between #A↔B (Villa_Barbiano) and between #C↔B (Villa_Bizzuno). I have already did several attempts, even with my IT system engineer, but we are faced with some connection problems

  • Tunnel Case #A↔B (Villa_Barbiano)
    • Router#B
      • Internet Interface → VPN → Permissions.
      • Add VPN connection.
      • Connect this FRITZ!Box with a corporate VPN.
      • Put all the settings referenced on the help page, including *.myfritz.net addresses.
      • Confirmed and then restarted the router.
    • Router#A
      • Internet → VPN → Enable (IPSec).
      • Add VPN connection.
      • Connect your local network with another FRITZ!Box (LAN-LAN pairing).
      • Put all the settings referenced on the help page, including *.myfritz.net addresses.
      • Confirmed and then restarted the router.

This tunnel seems OK and stable for now, so the 192.168.198.0/24 LAN network is accessible and scannable.

  • Tunnel Test Case #C↔B (Villa_Bizzuno_test)
    • Router#B
      • Internet Interface → VPN → Permissions.
      • Add VPN connection.
      • Connect this FRITZ!Box with a corporate VPN.
      • Put all the settings referenced on the help page, including *.myfritz.net addresses.
      • Confirmed and then restarted the router.
    • Router#C
      • Internet Interface → VPN → Enable (IPSec).
      • Add VPN connection.
      • Connect your local network with another FRITZ!Box (LAN-LAN pairing).
      • Put all the settings referenced on the help page, including *.myfritz.net addresses.
      • Confirmed and then restarted the router.

This tunnel seems OK and stable for now, so the 192.168.201.0/24 LAN network is accessible and scannable and I did this test in order to understand if the LTE operator hides with NAT the connection.Obviously, the network 192.168.200.0/24 is not reachable (because in another mask protected by the firewall); consequently, in order to connect the 2 LANs, the only way is that the tunnel VPN_IPSec takes place between Router#B and the Firewall, according to the site-to-site logic IPSec_VPN IKEv1.

  • Tunnel Test Case #C↔B (Villa_Bizzuno)
    • Router#B
      • Internet Interface → VPN → Permissions.
      • Add VPN connection.
      • Connect this FRITZ!Box with a corporate VPN.:
        • VPN username (Key-ID): yzaygo79jtldsmgy.myfritz.net
        • VPN (Preshared Key) Password: My Password
        • Remote Station Internet Address: yzaygo79jtldsmgy.myfritz.net
        • Internet address of this FRITZ!Box: 185.240.71.33
        • Remote Network: 192.168.200.0
        • Subnet Mask: 255.255.255.0
        • Maintain VPN connection constantly: Yes
        • Allow NetBIOS over this connection (for Microsoft Windows file shares and printers): Yes

Moving now to the firewall interface, I detail the custom settings of the device for the configuration of the VPN, using the parameters of Phase1 and Phase2 "stolen from the Villa_Barbiano tunnel" and from the LAN-LAN VPN used as a test between the 7560 and the 6850LTE:

[VPN Villa_Barbiano tunnel / IKE SA: DH2 / AES-256 / SHA1 / IPsec SA: ESP-AES-256 / SHA2-512 / LT-3600]

[VPN tunnel Villa_Bizzuno_test / IKE SA:  DH2/AES-256/SHA512/IPsec SA: ESP-AES-256/SHA2-512/LT-3600]

  • General Setting:
    • DescriptionVilla
    • IKE VersionIKEv1
    • TypePolicy-based
  • Network
    • My AddressIP 192.168.201.2 (Firewall WAN side identifier)
    • Peer Gateway Address185.240.71.33 (Public IP of Router#B)
    • FallbackOFF
    • ZonesIPSec_VPN
  • Authentication (Pre-Shared Key): My password
    • Advanced Setting:
      • Local IDyzaygo79jtldsmgy.myfritz.net
        [VPN username (Key-ID) set to 7560]
      • Remote ID: 185.240.71.33
  • Phase 1 Settings
    • SA Life Time28800
    • Proposal EncryptionAES256
    • Proposal AuthenticationSHA1
    • Diffie-Hellman GroupsDH2
    • Advanced Setting:
      • DPD Delay5
      • UDP EncapsulationON
        (according to the technical literature it is the setting necessary to force passage over port UDP4500)
  • Phase 2 Settings
    • InitiationNailed-up
    • Policy:
      • Local LAN192.168.200.0/24
      • Remote LAN192.168.199.0/24
    • SA Life Time3600
    • Proposal EncryptionAES256
    • Proposal AuthenticationSHA512
    • Perfect Forward Secrecy (PFS)OFF
    • Destination (the first Remote policy) and NAT RuleOFF

Still on technical literature (I don't know if official or not) he strongly advises us that:

  • in Router#C – FRITZ! Box 6850LTE (OS 08.20) – the "Firewall" device is enabled as an "Exposed Host" (setting done);
  • the FRITZ! OS 08.20 does not handle this setting well and it is recommended to enable the individual UDP500 and UDP4500 ports anyway (setting done);
  • it is necessary to disable the NetBIOS and Telendo filters of the Router#C – FRITZ! Box 6850LTE (setup done);

This tunnel does NOT open, so I forward the following:

  • Router#B side:
    • the green VPN status light is off and the LAN 192.168.200.0/24 is not accessible and scannable.
    • From the event log under the system menu, nothing interesting can be deduced.
log Router#B.pdf
  • Router Side#C:
    • From the event log under the system menu, nothing interesting can be deduced.
  • Firewall side cascading to Router#C
    • Export Attachment
log-firewall.pdf

I look forward to your consideration, thanks.

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,533 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Olympus

    1. From Router B log, I can't find any info for VPN connection Villa_Bizzuno.
    2. From Router C log, I can find the USG FLEX H tried to connect VPN, but there's no response from site B.

    Therefore, it seems like site C FRITZ!Box didn't allow and set NAT rule for VPN protocols. Please ensure these are allow and set NAT rule on your site C FRITZ!Box:


    • UDP port 500 (ISAKMP)
    • UDP port 4500 (NAT traversal)
    • ESP ("Encapsulated Security Payload", IP protocol number 50)

    Hope this helps.

    Zyxel Melen


Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)