Several Site-to-site with Dynamic Peer IKE1 connection -- wrong Phase2 for Phase1

Dreadbit
Dreadbit Posts: 9  Freshman Member
First Comment Friend Collector
edited April 2021 in Security
Hello, USG40, I have two Site-to-site with Dynamic Peer IKE1, with different algos, with different shared key and with different remote-policy / phase2 settings. Connection 1 is established and working, but when I try to establish connectinon 2, from the log I see that Phase 1 (in VPN Gateway in Web GUI terms) identifies the peer, but, then it tries to build Phase2 (VPN Connection) according Connection 1 settings.
I clearly bind Phase 2 settings to Connection 2 and see it as remote-policy in config (I configure things via WEB and check via cli)

The alike configuration with two IKE2 site-to-site-with-dynamic-peers works without problem.

What to do? The remote devices with IKE1 cannot do IKE2.




All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Dreadbit  

    You may try to configure different “Local ID” in phase 1.

    It can help system to select in correct VPN rule when there are many dynamic rules.


  • Dreadbit
    Dreadbit Posts: 9  Freshman Member
    First Comment Friend Collector
    @Zyxel_Stanley , thanks for reply.
    That did not help. I set a unique Local ID type on server/incoming side and also changed Peer ID to unique (and it matches with the caller).
    As before -- phase I is ok, and phase II is selected the wrong way.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Dreadbit

    Can you post your  VPN setting or send your config to me by private message for further check?

  • Dreadbit
    Dreadbit Posts: 9  Freshman Member
    First Comment Friend Collector
    Zyxel_Stanley thanks for your help, dropped you a private message.
  • kruess
    kruess Posts: 17  Freshman Member
    First Comment First Answer Friend Collector Third Anniversary
    Hi, did you get any further with that investigation? We have been observing similar behaviour in the past, too. But it's hard to analyse with ~20 active IPSec VPN's.
  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    25 Answers First Comment Friend Collector Seventh Anniversary
    Hi @kruess
    In previous case, we suggested to change the IKE phase from main mode to aggressive mode since both sites need to be configured in the same mode or the VPN won't be established successfully. Hope this solution helps to your scenario, too.


Security Highlight