USG60 IKEv2/Ipsec client question

Lou_S

Hi-

I'm trying to get a USG60 to connect to a vpn service as an IPSEC client.  EAP auth seems to work (logs show "AUTH Success!" message) and I get as far as "IKE SA negotiation process done" in the log.  I then seem to enter a loop where we keep sending the cookie pair back and forth forever (logs show it repeating with a client message of "Send:" and the VPN server a "Recv:" message)

I recall with site to site IPSEC in the past I used to see an explicit phase 1 complete message, not sure if the "SA negotiation process done" means my issue is in phase 2.  Does anyone know if that's correct, and why I might be stuck in this loop? 

Attaching a screenshot of the loop.  USG client is 172.x.x.x and VPN server is 45.x.x.x.

Thanks for any ideas!

lou

Lou_S

Sorry, I said the USG60 client is at 172.x.x.x above when it should say 173.x.x.x

Zyxel_Jeff

Hi @Lou_S

 There are some points that need to clarify:

(1)  Could this VPN connection be established? Or still, stuck in this loop?

(2)  Is the destination VPN server also a Zyxel security gateway?

(3)  What is your VPN gateway application scenario? Are you available to provide your test topology and startup-config.conf file to me via private message?

Thanks.

Lou_S

Hi Jeff-

Thanks for the reply.  I was trying to connect a tunnel from the router to a VPN service (Nord VPN).  Nord claims to support IPSEC/IKEv2  using Client_Role with xauth/EAP.  I dont know whose tech was at used as the VPN server.

I was stuck in this loop for a while but gave up and canceled the service.  NordVPN support wouldn't share the needed config settings and I hit a wall.  Their refusal to share even basic info made this too hard to debug.

Thanks anyway

Lou

Zyxel_Jeff

Hi @Lou_S

Thanks for your feedback.

If there is any assistance needs in the future please let us know.