Site to Site VPN to Meraki endpoint

cre8toruk

Hi All, very new to all of this but I'm trying to get a site to site vpn setup between our Zywall 310 and a Meraki box, I've got the pre-shared keys the same and I think the config setup right but it's not coming up. Has anyone done this or can point me in the direction of some instructions on what to do ?

Zyxel_Charlie

Hello cre8toruk,
G'day
There is the guideline can help you double confirm the configuration on USG series.
FAQ link:
https://businessforum.zyxel.com/discussion/551/an-example-of-site-to-site-vpn#latest 
Secondly,
if the issue still appear, please share the "IKE" log message to us for checking. 
Go to Monitor>Log>View Log>Select IKE on the category

Charlie

CoreSG

I have this working, but it's specifically necessary to configure the Ubquiti (eg: EdgeRouter Lite) via the command-line.

From my notes on this. Assumes you already have access via ssh, although it's possible to use the "command" box via a browser, I recommend against using that. 

Please double-check and verify, and the settings used need to match the configuration for your Zyxel USG.

Here is their guide which you should read in full:

https://help.ubnt.com/hc/en-us/articles/115011377588-EdgeRouter-IPsec-Route-Based-VTI-Site-to-Site-VPN

IMPORTANT: Verify the port (name) of your Ubiquiti's WAN port and alter where I have "eth1" if needed. Also, this example has the Ubiquiti LAN as 192.168.10.0 and the Zyxel LAN as 10.0.0./24 - obviously adjust each accordingly.

set vpn ipsec esp-group FOO

set vpn ipsec esp-group FOO compression disable

set vpn ipsec esp-group FOO lifetime 28800

set vpn ipsec esp-group FOO mode tunnel

set vpn ipsec esp-group FOO pfs enable

set vpn ipsec esp-group FOO proposal 1

set vpn ipsec esp-group FOO pfs dh-group2

set vpn ipsec esp-group FOO proposal 1 encryption aes256

set vpn ipsec esp-group FOO proposal 1 hash sha1

set vpn ipsec ike-group FOO

set vpn ipsec ike-group FOO lifetime 28800

set vpn ipsec ike-group FOO proposal 1

set vpn ipsec ike-group FOO proposal 1 dh-group 2

set vpn ipsec ike-group FOO proposal 1 encryption aes256

set vpn ipsec ike-group FOO proposal 1 hash sha1

set vpn ipsec ipsec-interfaces interface eth1

set vpn ipsec logging log-modes all

set vpn ipsec logging log-modes control

set vpn ipsec nat-traversal enable

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel  

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel local-ip XX.WANIP.OFYOUR.UBIQUITI

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel authentication mode pre-shared-secret

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel authentication pre-shared-secret longSecretPasswordHere

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel connection-type initiate

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel default-esp-group FOO

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel ike-group FOO

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 allow-nat-networks enable

set vpn ipsec nat-traversal enable

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn ipsec nat-networks allowed-network 10.0.0.0/24

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 allow-nat-networks disable

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 allow-public-networks disable

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 esp-group FOO

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 local subnet 192.168.10.0/24

(THIS IS THE LAN OF THE Ubuiti ER)

set vpn ipsec site-to-site peer xx.staticWAN-IP.ofYour.Xyxel tunnel 1 remote subnet 10.0.0.0/24

 (THIS IS THE LAN OF THE Zyxel)

commit

save

exit

CoreSG

Note: Copy and paste into something else, this forum software is line-wrapping where there shouldn't be newlines.