VPN Between ZyWall 110 and Fritzbox7590
Hi all!
i have been trying to get a vpn connection between a ZyWall 110 and a Fritzbox 7590 for several days - without success...
The ZyWall has a fixed WAN ip address (87.191.xxx.xxx) and a LAN1 Subnet 192.168.177.0, normal IPv4 VDSL.
The fritzbox has a dynamic ip address, a dyndns hostnmae is available, the LAN Subnet is 192.168.178.0, normal IPv4 VDSL.
I want to create a Site-to-site vpn with Dynamic Peer, so first i create a VPN Gateway on the ZyWall:
Then i create the VPN Connection:
Local Policy: "Lan1 subnet" has not brought any better results either,
Then I created the VPN configuration on the Fritzbox (with the wizard: "Connect to a company network"). I have a Screenshot and a config file from the connection:
{
enabled = yes;
editable = yes;
conn_type = conntype_out;
name = "MyVPNConnectionName";
boxuser_id = 0;
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = no;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 87.191.XXX.XXX;
remote_virtualip = 0.0.0.0;
keepalive_ip = 192.168.177.1;
localid {
key_id = "MyID";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = yes;
phase2localid {
ipnet {
ipaddr = 0.0.0.0;
mask = 0.0.0.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 0.0.0.0;
mask = 0.0.0.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
accesslist = "permit ip any 192.168.177.0 255.255.255.0";
app_id = 0;
}
With theese settings the connection will not etablish.
Log from ZyWall:
1 2020-03-08 10:39:13 info IKE SAKMP SA [_Side-To_Side_GW] is disconnected 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG
2 2020-03-08 10:39:13 info IKE Send:[HASH][DEL] [count=3] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG
3 2020-03-08 10:39:13 info IKE The cookie pair is : 0xc772122564142f56 / 0x2900f3797d042a8a [count=4] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG
4 2020-03-08 10:38:46 notice Security Policy Control Match default rule, DROP 195.54.166.xxx:58557 87.191.xxx.xxx:37348 ACCESS BLOCK
5 2020-03-08 10:38:44 info IKE Send:[HASH] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG
6 2020-03-08 10:38:44 info IKE Recv:[HASH][ATTR] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG
7 2020-03-08 10:38:44 info IKE Phase 1 IKE SA process done 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG
8 2020-03-08 10:38:44 info IKE Recv:[HASH][PRV][PRV][NOTIFY:INITIAL_CONTACT] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG
9 2020-03-08 10:38:44 info IKE Send:[SA][KE][NONCE][ID][HASH][VID][VID][VID][VID][VID][VID][VID][VID][PRV][PRV] 87.191.xxx.xxx:500 87.187.xxx.xxx:50 IKE_LOG
10 2020-03-08 10:38:44 info IKE The cookie pair is : 0xc772122564142f56 / 0x2900f3797d042a8a [count=3] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG
11 2020-03-08 10:38:43 info IKE Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA512 PRF, HMAC-SHA512-256, 1024 bit MODP, HMAC-SHA1 PRF, HMAC-SHA1-96, AES CBC key len = 192, AES CBC, 3DES, DES, HMAC-MD5 PRF, HMAC-MD5-96; ). 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG
12 2020-03-08 10:38:43 info IKE Recv:[SA][KE][NONCE][ID][VID][VID][VID][VID][VID][VID] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG
13 2020-03-08 10:38:43 info IKE The cookie pair is : 0x2900f3797d042a8a / 0xc772122564142f56 [count=3] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG
14 2020-03-08 10:38:43 info IKE Recv Aggressive Mode request from [87.187.xxx.xxx]
On the Fritzbox i see only:
VPN-Fehler: spa firmenlan, IKE-Error 0x203d
0x203d means: "phase 1 sa removed during negotiation"
Does anybody have an idea what it could be?
All Replies
-
Hi @Hackepeter
Welcome to Zyxel community
As you mentioned that ZyWALL has fixed WAN IP address (87.191.xxx.xxx) and a LAN1 Subnet 192.168.177.0
In the VPN connection settings on ZyWALL110, Local Policy should be 192.168.177.0 not WAN IP 87.191.xxx.xxx
Engage in the Community, become an MVP, and win exclusive prizes!
0 -
Hello,
some problem here :( -also Zywall110 with AVM Fritzbox. zywall using fixed ip and Fritzbox dynamic one.
Phase1 is ok but no connection will be established??
Any Ideas?
thx
Sascha
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight