NonSDWan Branch to SDWan Hub

AndreaTosi
AndreaTosi Posts: 14  Freshman Member
First Comment
edited April 2021 in Security
Hi everyone, maybe it's just me ... but I can't understand the process of connecting an older branch firewall (for example a Zywall100 Plus) to a new, SDWan configured Hub...

I'm about to switch our 10 sites hub-and-spoke VPN to sdwan, but cannot stop operations and cannot be everywhere to reconnect firewalls so i was trying to:
   Configure the main office new Zyxel VPN300 as an sdwan device
   Configure non-sdwan to that vpn300 on the elder firewalls (a mix of 100plus, usg20-30 and vpn50)
   > see traffic and people happily work
   Gradually switch branches new firewalls to sdwan, one at a time

I've tried to setup a Configuration-Services-NonSDWan Gateway as a branch, specifying its router's ip (and flagging nat); dialed in the necessary parameters and the remote's lan address;
Then selected it in my organization's profile, assigning it to a corporate zone... (maybe i should have checked "branch to non-sdwan hubs" but i think it's the opposite of what i'm trying to accomplish)

Manually create a new phase1 and phase2 vpn setup following the configuration file inside the branch's firewall.

I could see on both firewalls IKE traffic (yes, ports are opened and nat selected on both side's routers) but "no proposal" or "wrong cookie pairs" errors and no communication.

Can somebody provide more advice on this setup?

Thank you very much!

Comments

  • AndreaTosi
    AndreaTosi Posts: 14  Freshman Member
    First Comment
    Checking my configuration, noticed this: I said i left disabled the "branch to non-sdwan hubs" but this way i couldn't see our "other" firewall listed under our hub's VPN300 configuration page.
    Enabled that option, can see the remote listed. This evening I'll have another round with them and update this post.
  • AndreaTosi
    AndreaTosi Posts: 14  Freshman Member
    First Comment
    Just to update my post... Yesterday I double checked branch's router and Zywall100Plus configuration; checked once more my hub's vpn300 nebula configuration, profile and services but didn't get a working connection.
    Since that flag reads Branch to non-sd Hub, tomorrow I'll try leaving our hub's old firewall (Zywall 110) and make a newer branch VPN50 sdwan try and connect to it...
  • AndreaTosi
    AndreaTosi Posts: 14  Freshman Member
    First Comment
    Another update: I've managed to make a VPN working ... Set up a branch VPN50 to connect to the hub's older Zywall110!
    To do this, I configured the hub's zywall 110 as a "service / non sdwan gateway"; disabled the "hub" option on the new firewall i had setup under profile/autovpn and enabled branch to non-sdwan, adding the service i just configured;
    In zywall 110's configuration, chechek phase1 and 2 parameters to match to whatever the "service" created for me.
    After a bit of troubleshooting, i could see the remote branch's VPN50 connecting to our central site and could reach our central server.
    That's my first step into upgrading all the branches and at the end the main firewall.
    I have other issues limiting allowed traffic but that will be another post...
    Bye all

Security Highlight