USG60 IKEv2/Ipsec client question

Lou_S
Lou_S Posts: 5
First Comment Friend Collector First Anniversary
edited April 2021 in Security
Hi-

I'm trying to get a USG60 to connect to a vpn service as an IPSEC client.  EAP auth seems to work (logs show "AUTH Success!" message) and I get as far as "IKE SA negotiation process done" in the log.  I then seem to enter a loop where we keep sending the cookie pair back and forth forever (logs show it repeating with a client message of "Send:" and the VPN server a "Recv:" message)

I recall with site to site IPSEC in the past I used to see an explicit phase 1 complete message, not sure if the "SA negotiation process done" means my issue is in phase 2.  Does anyone know if that's correct, and why I might be stuck in this loop? 

Attaching a screenshot of the loop.  USG client is 172.x.x.x and VPN server is 45.x.x.x.

Thanks for any ideas!
lou








All Replies

  • Lou_S
    Lou_S Posts: 5
    First Comment Friend Collector First Anniversary
    Sorry, I said the USG60 client is at 172.x.x.x above when it should say 173.x.x.x
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 449
    25 Answers First Comment Friend Collector Second Anniversary
     Master Member

    Hi @Lou_S

     There are some points that need to clarify:

    (1)  Could this VPN connection be established? Or still, stuck in this loop?

    (2)  Is the destination VPN server also a Zyxel security gateway?

    (3)  What is your VPN gateway application scenario? Are you available to provide your test topology and startup-config.conf file to me via private message?


    Thanks.
  • Lou_S
    Lou_S Posts: 5
    First Comment Friend Collector First Anniversary
    Hi Jeff-

    Thanks for the reply.  I was trying to connect a tunnel from the router to a VPN service (Nord VPN).  Nord claims to support IPSEC/IKEv2  using Client_Role with xauth/EAP.  I dont know whose tech was at used as the VPN server.

    I was stuck in this loop for a while but gave up and canceled the service.  NordVPN support wouldn't share the needed config settings and I hit a wall.  Their refusal to share even basic info made this too hard to debug.

    Thanks anyway

    Lou
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 449
    25 Answers First Comment Friend Collector Second Anniversary
     Master Member

    Hi @Lou_S

    Thanks for your feedback.

    If there is any assistance needs in the future please let us know.


Security Highlight