VPN - dial timeout

GaryHolmes
GaryHolmes Posts: 1  Freshman Member
edited April 14 in Security
I'm trying to connect two ZyWALL 110's via a site to site IKEV2 IPSec VPN. When I try to connect, I get the "Dial Timeout" message after 30 seconds. I've packet captured and I can see the initiating side send 2 requests (IKE_SA_INIT and IKE_AUTH) and get 2 responses and then nothing.

The only thing that is "odd" is that one of the 110's is sitting behind a BT router and hence on a 192.168.x.x address with the router treating it as the DMZ target. Don't know if this is relevant, but I've tried the gateway setups with both the external IP and an FQDN in appropriately on both sides, but no difference.

For completeness, the other 110 is using its wan_ppp interface.

Any ideas?

I have worked through this link: https://businessforum.zyxel.com/discussion/551/an-example-of-site-to-site-vpn#:~:text=Configuration on HQ Site.&text=Creating VPN Gateway-,Go to Configuration > VPN > IPSec VPN > VPN Gateway and,ZyWALL USG 100 WAN IP.

Thanks,
Gary

Answers

  • jasailafan
    jasailafan Posts: 139  Ally Member
    First, the following IP protocols and UDP ports should be allowed on the router if the router has firewall policy settings.
    ESP: IP protocol = 50 
    AH: IP protocol = 51 
    IKE: UDP Port Number = 500
    NAT-T: UDP Port Number = 4500

    Seconds, check the lan IP subnet of ZyWALL 110 and the dmz subnet of the router. If any IP subnets conflict, change the subnet.

    Third, use wizard to set up vpn between two ZyWALL 110.
    ZyWALL 110 with wan_ppp interface: site to site with dynamic peer
    ZyWALL 110 behind router: site to site

Security Highlight