Several Site-to-site with Dynamic Peer IKE1 connection -- wrong Phase2 for Phase1

Options
Dreadbit
Dreadbit Posts: 9
Friend Collector First Comment
edited April 2021 in Security
Hello, USG40, I have two Site-to-site with Dynamic Peer IKE1, with different algos, with different shared key and with different remote-policy / phase2 settings. Connection 1 is established and working, but when I try to establish connectinon 2, from the log I see that Phase 1 (in VPN Gateway in Web GUI terms) identifies the peer, but, then it tries to build Phase2 (VPN Connection) according Connection 1 settings.
I clearly bind Phase 2 settings to Connection 2 and see it as remote-policy in config (I configure things via WEB and check via cli)

The alike configuration with two IKE2 site-to-site-with-dynamic-peers works without problem.

What to do? The remote devices with IKE1 cannot do IKE2.




All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Dreadbit  

    You may try to configure different “Local ID” in phase 1.

    It can help system to select in correct VPN rule when there are many dynamic rules.


  • Dreadbit
    Dreadbit Posts: 9
    Friend Collector First Comment
    Options
    @Zyxel_Stanley , thanks for reply.
    That did not help. I set a unique Local ID type on server/incoming side and also changed Peer ID to unique (and it matches with the caller).
    As before -- phase I is ok, and phase II is selected the wrong way.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Dreadbit

    Can you post your  VPN setting or send your config to me by private message for further check?

  • Dreadbit
    Dreadbit Posts: 9
    Friend Collector First Comment
    Options
    Zyxel_Stanley thanks for your help, dropped you a private message.
  • kruess
    kruess Posts: 9
    First Anniversary First Answer First Comment
    Options
    Hi, did you get any further with that investigation? We have been observing similar behaviour in the past, too. But it's hard to analyse with ~20 active IPSec VPN's.
  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @kruess
    In previous case, we suggested to change the IKE phase from main mode to aggressive mode since both sites need to be configured in the same mode or the VPN won't be established successfully. Hope this solution helps to your scenario, too.


Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)