VPN Between ZyWall 110 and Fritzbox7590

Hackepeter · March 2020

Hi all!

i have been trying to get a vpn connection between a ZyWall 110 and a Fritzbox 7590 for several days - without success...

The ZyWall has a fixed WAN ip address (87.191.xxx.xxx) and a LAN1 Subnet 192.168.177.0, normal IPv4 VDSL.

The fritzbox has a dynamic ip address, a dyndns hostnmae is available, the LAN Subnet is 192.168.178.0, normal IPv4 VDSL.

I want to create a Site-to-site vpn with Dynamic Peer, so first i create a VPN Gateway on the ZyWall:

Then i create the VPN Connection:

Local Policy: "Lan1 subnet" has not brought any better results either,

Then I created the VPN configuration on the Fritzbox (with the wizard: "Connect to a company network"). I have a Screenshot and a config file from the connection:

{

enabled = yes;

editable = yes;

conn_type = conntype_out;

name = "MyVPNConnectionName";

boxuser_id = 0;

always_renew = no;

reject_not_encrypted = no;

dont_filter_netbios = no;

localip = 0.0.0.0;

local_virtualip = 0.0.0.0;

remoteip = 87.191.XXX.XXX;

remote_virtualip = 0.0.0.0;

keepalive_ip = 192.168.177.1;

localid {

key_id = "MyID";

}

mode = phase1_mode_aggressive;

phase1ss = "all/all/all";

keytype = connkeytype_pre_shared;

key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

cert_do_server_auth = no;

use_nat_t = yes;

use_xauth = no;

use_cfgmode = yes;

phase2localid {

ipnet {

ipaddr = 0.0.0.0;

mask = 0.0.0.0;

}

phase2remoteid {

ipnet {

ipaddr = 0.0.0.0;

mask = 0.0.0.0;

}

phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";

accesslist = "permit ip any 192.168.177.0 255.255.255.0";

app_id = 0;

}

With theese settings the connection will not etablish.

Log from ZyWall:

1 2020-03-08 10:39:13 info IKE SAKMP SA [_Side-To_Side_GW] is disconnected 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

2 2020-03-08 10:39:13 info IKE Send:[HASH][DEL] [count=3] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

3 2020-03-08 10:39:13 info IKE The cookie pair is : 0xc772122564142f56 / 0x2900f3797d042a8a [count=4] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

4 2020-03-08 10:38:46 notice Security Policy Control Match default rule, DROP 195.54.166.xxx:58557 87.191.xxx.xxx:37348 ACCESS BLOCK

5 2020-03-08 10:38:44 info IKE Send:[HASH] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

6 2020-03-08 10:38:44 info IKE Recv:[HASH][ATTR] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG

7 2020-03-08 10:38:44 info IKE Phase 1 IKE SA process done 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

8 2020-03-08 10:38:44 info IKE Recv:[HASH][PRV][PRV][NOTIFY:INITIAL_CONTACT] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG

9 2020-03-08 10:38:44 info IKE Send:[SA][KE][NONCE][ID][HASH][VID][VID][VID][VID][VID][VID][VID][VID][PRV][PRV] 87.191.xxx.xxx:500 87.187.xxx.xxx:50 IKE_LOG

10 2020-03-08 10:38:44 info IKE The cookie pair is : 0xc772122564142f56 / 0x2900f3797d042a8a [count=3] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

11 2020-03-08 10:38:43 info IKE Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA512 PRF, HMAC-SHA512-256, 1024 bit MODP, HMAC-SHA1 PRF, HMAC-SHA1-96, AES CBC key len = 192, AES CBC, 3DES, DES, HMAC-MD5 PRF, HMAC-MD5-96; ). 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG

12 2020-03-08 10:38:43 info IKE Recv:[SA][KE][NONCE][ID][VID][VID][VID][VID][VID][VID] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG

13 2020-03-08 10:38:43 info IKE The cookie pair is : 0x2900f3797d042a8a / 0xc772122564142f56 [count=3] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG

14 2020-03-08 10:38:43 info IKE Recv Aggressive Mode request from [87.187.xxx.xxx]

On the Fritzbox i see only:

VPN-Fehler: spa firmenlan, IKE-Error 0x203d

0x203d means: "phase 1 sa removed during negotiation"

Does anybody have an idea what it could be?