VPN Configuration

Options
Costas
Costas Posts: 9
First Anniversary Friend Collector First Comment
edited April 2021 in Security

I started a new thread as just now getting back to this and different questions

Here is the configuration of our ZyXELL 110

VPN-CorpGW.jpg
VPN-CorpVPN.jpg
VPN-CorpPolicy-1.jpg
VPN-CorpPolicy-2.jpg

Above is a site to site, router to router VPN tunnel between offices which works just fine. Now I'm wanting to add a VPN client connection for remote access to people in the field. I've set it up as the following.

VPN-ClientGW.jpg
VPN-ClientVPN.jpg
VPN-ClientVPN-2.jpg
VPN-ClientPolicy.jpg


So, office "A" internal network is 192.168.0.0/21 and office "B" is 192.168.8.0/21 and the intention is to have the client give an address of 192.168.88.x and SNAT to 192.168.80.x because likely their connection would overlap our internal addresses.

After a bunch of trials, changing the Phase1 & Phase2 to match, only using 3DES & SHA-1 & DH2, I've gotten rid of the auth errors but now the ZyWALL VPN CLient is giving me Phase2 doesn't match again and the weird part is in the log it stated the site to site policy and not the client policy. I started out with the Win10 VPN client but installed the ZyWALL one for further tests.

Clearly something that I'm missing. Not that familiar with VPNs. I set the site to site a number of years ago. Any help appreciated.

All Replies

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Costas

    You may refer to this KB article which mention about how to implement SNAT in Site-to-Site IPSec VPN scenario to avoid local subnet overlapping problem.

    https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=014715&lang=EN

  • Costas
    Costas Posts: 9
    First Anniversary Friend Collector First Comment
    Options

    @Zyxel_Vic

    Sorry, had a number of other projects and now getting back to this. Due to the time delay and issues I thought it would be best to just start over so have deleted the prior gateway, client, and policy. I still have the office site-to-site VPN in place but all of the client stuff from above has been removed.

    Created a new gw & client based on http://onesecurity.zyxel.com/img/uploads/Next-Gen_VPN%20with%20User%20Based%20PSK%20CR.pdf I can include shots of them if you wish.

    What I did not do is on the bottom of page 11 to uncheck the box to “Use Policy Route to control dynamic IPSec rules” because we have rules for the office traffic.

    Created a policy route for the source address of the group of authorized public IP's with the destination address of a new subnet (192.168.1.0/24) because I only need to communicate with that part of the super subnet (192.168.0.0/21).

    Tried connecting with the built-in Windows VPN client but failed so went back to the ZyWALL client. I can establish the tunnel and it provides the client with a 10.10.10.10 address. If I look at the VPN IPSec monitor it shows connected with inbound traffic. If I attempt to ping 192.168.1.20 (a device I want to RDP to) I appear to get a response from the ping but the monitor shows no outbound traffic and when I try to RDP to it it fails to connect.

    My guess is the policy route?

    I figured best to start with a basic connection and then try to figure out the SNAT issue since my local subnet is 192.168.40.0/24 and I don't overlap the office subnets.

    Thanks again,

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)