IPSec Tunnel: info about remote endpoint

mMontana
mMontana Posts: 1,380  Guru Member
50 Answers 1000 Comments Friend Collector Fifth Anniversary
edited April 2021 in Security

USG60 is connected via IPSec to other Firewalls: 2 old USG20, 1 USG40, 1 USG20-VPN.

With newer device AND IKEv1 tunnel i were able to read info about remote endpoint.

Now USG40 use 2 IKEv2 tunnels (one for LAN1, one for LAN2 which is on a different subnet), but info of the remote endpoint (hostname, serial number) is not readable anymore from VPN Status, just like IKEv1 tunnels to USG20.

It's just cosmetic, and it worked when there was only 1 IKEv1 tunnel between USG60 and USG40. Now not anymore.

«1

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,385  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @mMontana,

    Build two IKEv2 tunnels between USG40 and USG60.

    The serial number and system name are shown on the VPN monitor.

    Build one IKEv1 tunnel between USG40 and USG60.

    The serial number and system name are shown on the VPN monitor.

    Could you share the screen shot of the problem with us?

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    Here you are

    Into blue square two tunnels to USG40, with IKEv2 gateway. Into green square, the tunnel to USG20-VPN. Other Ones are USG20 tunnels.


  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    Hi. Same issue.

    After long time info about remote point are missing.

    This from 1 site connected by 2 vti in 1 trunk.

    USG20W-vpn & USG1100.

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,385  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @mMontana, @alexey,

    Thanks for reporting. 

    It is confirmed as an issue after rekey.

    We are working on fixing it and the fix will be merged to the next firmware.

    I will send the firmware to you for verification after the issue is fixed.

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    On which side shoud be applied?

    Both?

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,385  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @mMontana,

    Yes, the date firmware should be applied to both sides.

    I will send the firmware to you for verification after the issue is fixed.

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,385  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @mMontana @alexey,

    The firmware is sent to you in private message.

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    I'll try to update and test during late december. This is just cosmetic issue currently.

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    On test V4.35(AAPK.0)ITS-WK46-r90773 all was good. After update to

    V4.35(AAPK.3) info about remote peer start missing again.

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Hi Zyxel_Emily alexey and mMontana FWIW, on our USG routers at V4.35 (xxx) we can confirm using cli show sa monitor command...

    • IKEv2 IPSEC Client-to-Site and IPSEC IKEv1 L2TP clients- DO NOT SHOW Serial numbers and HOST names of USG appliances.
    • However out Site-Site VTI DO show serial numbers and USG HOST names

    Using the show sa monitor command - works great

    Router> show sa monitor
    

    HTH

    Warwick

    Hong kong

Security Highlight