USG60 IKEv2/Ipsec client question

Lou_S
Lou_S Posts: 5
First Comment Friend Collector First Anniversary
edited April 2021 in Security
Hi-

I'm trying to get a USG60 to connect to a vpn service as an IPSEC client.  EAP auth seems to work (logs show "AUTH Success!" message) and I get as far as "IKE SA negotiation process done" in the log.  I then seem to enter a loop where we keep sending the cookie pair back and forth forever (logs show it repeating with a client message of "Send:" and the VPN server a "Recv:" message)

I recall with site to site IPSEC in the past I used to see an explicit phase 1 complete message, not sure if the "SA negotiation process done" means my issue is in phase 2.  Does anyone know if that's correct, and why I might be stuck in this loop? 

Attaching a screenshot of the loop.  USG client is 172.x.x.x and VPN server is 45.x.x.x.

Thanks for any ideas!
lou








All Replies

  • Lou_S
    Lou_S Posts: 5
    First Comment Friend Collector First Anniversary
    Sorry, I said the USG60 client is at 172.x.x.x above when it should say 173.x.x.x
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,206  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @Lou_S

     There are some points that need to clarify:

    (1)  Could this VPN connection be established? Or still, stuck in this loop?

    (2)  Is the destination VPN server also a Zyxel security gateway?

    (3)  What is your VPN gateway application scenario? Are you available to provide your test topology and startup-config.conf file to me via private message?


    Thanks.


    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • Lou_S
    Lou_S Posts: 5
    First Comment Friend Collector First Anniversary
    Hi Jeff-

    Thanks for the reply.  I was trying to connect a tunnel from the router to a VPN service (Nord VPN).  Nord claims to support IPSEC/IKEv2  using Client_Role with xauth/EAP.  I dont know whose tech was at used as the VPN server.

    I was stuck in this loop for a while but gave up and canceled the service.  NordVPN support wouldn't share the needed config settings and I hit a wall.  Their refusal to share even basic info made this too hard to debug.

    Thanks anyway

    Lou
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,206  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @Lou_S

    Thanks for your feedback.

    If there is any assistance needs in the future please let us know.



    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

Security Highlight