VPN Between ZyWall 110 and Fritzbox7590

Hackepeter
Hackepeter Posts: 1  Freshman Member
edited April 2021 in Security

Hi all!

i have been trying to get a vpn connection between a ZyWall 110 and a Fritzbox 7590 for several days - without success...

The ZyWall has a fixed WAN ip address (87.191.xxx.xxx) and a LAN1 Subnet 192.168.177.0, normal IPv4 VDSL.

The fritzbox has a dynamic ip address, a dyndns hostnmae is available, the LAN Subnet is 192.168.178.0, normal IPv4 VDSL.

I want to create a Site-to-site vpn with Dynamic Peer, so first i create a VPN Gateway on the ZyWall:


Then i create the VPN Connection:

Local Policy: "Lan1 subnet" has not brought any better results either,

Then I created the VPN configuration on the Fritzbox (with the wizard: "Connect to a company network"). I have a Screenshot and a config file from the connection:

{

        enabled = yes;

        editable = yes;

        conn_type = conntype_out;

        name = "MyVPNConnectionName";

        boxuser_id = 0;

        always_renew = no;

        reject_not_encrypted = no;

        dont_filter_netbios = no;

        localip = 0.0.0.0;

        local_virtualip = 0.0.0.0;

        remoteip = 87.191.XXX.XXX;

        remote_virtualip = 0.0.0.0;

        keepalive_ip = 192.168.177.1;

        localid {

            key_id = "MyID";

        }

        mode = phase1_mode_aggressive;

        phase1ss = "all/all/all";

        keytype = connkeytype_pre_shared;

        key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

        cert_do_server_auth = no;

        use_nat_t = yes;

        use_xauth = no;

        use_cfgmode = yes;

        phase2localid {

            ipnet {

                ipaddr = 0.0.0.0;

                mask = 0.0.0.0;

            }

        }

        phase2remoteid {

            ipnet {

                ipaddr = 0.0.0.0;

                mask = 0.0.0.0;

            }

        }

        phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";

        accesslist = "permit ip any 192.168.177.0 255.255.255.0";

        app_id = 0;

    }


With theese settings the connection will not etablish.

Log from ZyWall:

1 2020-03-08 10:39:13 info IKE SAKMP SA [_Side-To_Side_GW] is disconnected 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

2 2020-03-08 10:39:13 info IKE Send:[HASH][DEL] [count=3] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

3 2020-03-08 10:39:13 info IKE The cookie pair is : 0xc772122564142f56 / 0x2900f3797d042a8a [count=4] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

4 2020-03-08 10:38:46 notice Security Policy Control Match default rule, DROP 195.54.166.xxx:58557 87.191.xxx.xxx:37348 ACCESS BLOCK

5 2020-03-08 10:38:44 info IKE Send:[HASH] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

6 2020-03-08 10:38:44 info IKE Recv:[HASH][ATTR] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG

7 2020-03-08 10:38:44 info IKE Phase 1 IKE SA process done 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

8 2020-03-08 10:38:44 info IKE Recv:[HASH][PRV][PRV][NOTIFY:INITIAL_CONTACT] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG

9 2020-03-08 10:38:44 info IKE Send:[SA][KE][NONCE][ID][HASH][VID][VID][VID][VID][VID][VID][VID][VID][PRV][PRV] 87.191.xxx.xxx:500 87.187.xxx.xxx:50 IKE_LOG

10 2020-03-08 10:38:44 info IKE The cookie pair is : 0xc772122564142f56 / 0x2900f3797d042a8a [count=3] 87.191.xxx.xxx:500 87.187.xxx.xxx:500 IKE_LOG

11 2020-03-08 10:38:43 info IKE Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA512 PRF, HMAC-SHA512-256, 1024 bit MODP, HMAC-SHA1 PRF, HMAC-SHA1-96, AES CBC key len = 192, AES CBC, 3DES, DES, HMAC-MD5 PRF, HMAC-MD5-96; ). 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG

12 2020-03-08 10:38:43 info IKE Recv:[SA][KE][NONCE][ID][VID][VID][VID][VID][VID][VID] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG

13 2020-03-08 10:38:43 info IKE The cookie pair is : 0x2900f3797d042a8a / 0xc772122564142f56 [count=3] 87.187.xxx.xxx:500 87.191.xxx.xxx:500 IKE_LOG

14 2020-03-08 10:38:43 info IKE Recv Aggressive Mode request from [87.187.xxx.xxx]


On the Fritzbox i see only:

VPN-Fehler: spa firmenlan, IKE-Error 0x203d

0x203d means: "phase 1 sa removed during negotiation"


Does anybody have an idea what it could be?

All Replies

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,271  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    Hi @Hackepeter

    Welcome to Zyxel community

    As you mentioned that ZyWALL has fixed WAN IP address (87.191.xxx.xxx) and a LAN1 Subnet 192.168.177.0

    In the VPN connection settings on ZyWALL110, Local Policy should be 192.168.177.0 not WAN IP 87.191.xxx.xxx

    Engage in the Community, become an MVP, and win exclusive prizes!

  • Sascha_Walther
    Sascha_Walther Posts: 17  Freshman Member
    First Comment Second Anniversary

    Hello,

    some problem here :( -also Zywall110 with AVM Fritzbox. zywall using fixed ip and Fritzbox dynamic one.

    Phase1 is ok but no connection will be established??

    Any Ideas?

    thx

    Sascha

Security Highlight