Site to Site VPN to Meraki endpoint

cre8toruk
cre8toruk Posts: 1  Freshman Member
edited April 2021 in Security
Hi All, very new to all of this but I'm trying to get a site to site vpn setup between our Zywall 310 and a Meraki box, I've got the pre-shared keys the same and I think the config setup right but it's not coming up. Has anyone done this or can point me in the direction of some instructions on what to do ?



Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    Hello cre8toruk,
    G'day
    There is the guideline can help you double confirm the configuration on USG series.
    FAQ link:
    https://businessforum.zyxel.com/discussion/551/an-example-of-site-to-site-vpn#latest 
    Secondly,
    if the issue still appear, please share the "IKE" log message to us for checking. 
    Go to Monitor>Log>View Log>Select IKE on the category

    Charlie
  • CoreSG
    CoreSG Posts: 40  Freshman Member
    edited October 2017
    I have this working, but it's specifically necessary to configure the Ubquiti (eg: EdgeRouter Lite) via the command-line.
    From my notes on this. Assumes you already have access via ssh, although it's possible to use the "command" box via a browser, I recommend against using that. 
    Please double-check and verify, and the settings used need to match the configuration for your Zyxel USG.

    Here is their guide which you should read in full:

    IMPORTANT: Verify the port (name) of your Ubiquiti's WAN port and alter where I have "eth1" if needed. Also, this example has the Ubiquiti LAN as 192.168.10.0 and the Zyxel LAN as 10.0.0./24 - obviously adjust each accordingly.

    set vpn ipsec esp-group FOO
    set vpn ipsec esp-group FOO compression disable
    set vpn ipsec esp-group FOO lifetime 28800
    set vpn ipsec esp-group FOO mode tunnel
    set vpn ipsec esp-group FOO pfs enable
    set vpn ipsec esp-group FOO proposal 1
    set vpn ipsec esp-group FOO pfs dh-group2
    set vpn ipsec esp-group FOO proposal 1 encryption aes256
    set vpn ipsec esp-group FOO proposal 1 hash sha1
    set vpn ipsec ike-group FOO
    set vpn ipsec ike-group FOO lifetime 28800
    set vpn ipsec ike-group FOO proposal 1
    set vpn ipsec ike-group FOO proposal 1 dh-group 2
    set vpn ipsec ike-group FOO proposal 1 encryption aes256
    set vpn ipsec ike-group FOO proposal 1 hash sha1
    set vpn ipsec ipsec-interfaces interface eth1
    set vpn ipsec logging log-modes all
    set vpn ipsec logging log-modes control
    set vpn ipsec nat-traversal enable
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel  
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel local-ip XX.WANIP.OFYOUR.UBIQUITI
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel authentication mode pre-shared-secret
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel authentication pre-shared-secret longSecretPasswordHere
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel connection-type initiate
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel default-esp-group FOO
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel ike-group FOO
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 allow-nat-networks enable
    set vpn ipsec nat-traversal enable
    set vpn ipsec nat-networks allowed-network 0.0.0.0/0
    set vpn ipsec nat-networks allowed-network 10.0.0.0/24
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 allow-nat-networks disable
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 allow-public-networks disable
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 esp-group FOO
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 local subnet 192.168.10.0/24
    (THIS IS THE LAN OF THE Ubuiti ER)
    set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 remote subnet 10.0.0.0/24
     (THIS IS THE LAN OF THE Zyxel)
    commit
    save
    exit
  • CoreSG
    CoreSG Posts: 40  Freshman Member
    Note: Copy and paste into something else, this forum software is line-wrapping where there shouldn't be newlines.

Security Highlight