USG60 IKEv2/Ipsec client question

Lou_S Posts: 4
edited April 14 in Security

I'm trying to get a USG60 to connect to a vpn service as an IPSEC client.  EAP auth seems to work (logs show "AUTH Success!" message) and I get as far as "IKE SA negotiation process done" in the log.  I then seem to enter a loop where we keep sending the cookie pair back and forth forever (logs show it repeating with a client message of "Send:" and the VPN server a "Recv:" message)

I recall with site to site IPSEC in the past I used to see an explicit phase 1 complete message, not sure if the "SA negotiation process done" means my issue is in phase 2.  Does anyone know if that's correct, and why I might be stuck in this loop? 

Attaching a screenshot of the loop.  USG client is 172.x.x.x and VPN server is 45.x.x.x.

Thanks for any ideas!

All Replies

  • Lou_S
    Lou_S Posts: 4
    Sorry, I said the USG60 client is at 172.x.x.x above when it should say 173.x.x.x
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 135  Zyxel Employee

    Hi @Lou_S

     There are some points that need to clarify:

    (1)  Could this VPN connection be established? Or still, stuck in this loop?

    (2)  Is the destination VPN server also a Zyxel security gateway?

    (3)  What is your VPN gateway application scenario? Are you available to provide your test topology and startup-config.conf file to me via private message?

  • Lou_S
    Lou_S Posts: 4
    Hi Jeff-

    Thanks for the reply.  I was trying to connect a tunnel from the router to a VPN service (Nord VPN).  Nord claims to support IPSEC/IKEv2  using Client_Role with xauth/EAP.  I dont know whose tech was at used as the VPN server.

    I was stuck in this loop for a while but gave up and canceled the service.  NordVPN support wouldn't share the needed config settings and I hit a wall.  Their refusal to share even basic info made this too hard to debug.

    Thanks anyway

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 135  Zyxel Employee

    Hi @Lou_S

    Thanks for your feedback.

    If there is any assistance needs in the future please let us know.

Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!