Several Site-to-site with Dynamic Peer IKE1 connection -- wrong Phase2 for Phase1
Hello, USG40, I have two Site-to-site with Dynamic Peer IKE1, with different algos, with different shared key and with different remote-policy / phase2 settings. Connection 1 is established and working, but when I try to establish connectinon 2, from the log I see that Phase 1 (in VPN Gateway in Web GUI terms) identifies the peer, but, then it tries to build Phase2 (VPN Connection) according Connection 1 settings.
I clearly bind Phase 2 settings to Connection 2 and see it as remote-policy in config (I configure things via WEB and check via cli)
The alike configuration with two IKE2 site-to-site-with-dynamic-peers works without problem.
What to do? The remote devices with IKE1 cannot do IKE2.
0
All Replies
-
Hi @Dreadbit
You may try to configure different “Local ID” in phase 1.
It can help system to select in correct VPN rule when there are many dynamic rules.
0 -
@Zyxel_Stanley , thanks for reply.That did not help. I set a unique Local ID type on server/incoming side and also changed Peer ID to unique (and it matches with the caller).As before -- phase I is ok, and phase II is selected the wrong way.0
-
Hi @Dreadbit
Can you post your VPN setting or send your config to me by private message for further check?
0 -
Zyxel_Stanley thanks for your help, dropped you a private message.
0 -
Hi, did you get any further with that investigation? We have been observing similar behaviour in the past, too. But it's hard to analyse with ~20 active IPSec VPN's.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight