IPSec - Difference between USG Flex200 and 500

nubira
nubira Posts: 14
First Comment Friend Collector Second Anniversary
in Security
Hello Zyxel!

I tested a USG Flex200 firewall a couple of months ago. I was able to set up Site to Site IPSec VPN.
I am now working with a USG Felx500 firewall, I use the same settings as before but the VPN connection is not working. I see the following entries in the log:

[SA]: No proposal chosen [count = 11]
[SA]: Tunnel [ipsec_tun] Phase 2 proposal mismatch [count = 11]
The cookie pair is: 0x17f1b7f811048b03 / 0x4d5b3b5ddc4e9173 [count = 33]
Send: [HASH] [NOTIFY: NO_PROPOSAL_CHOSEN] [count = 9]

In phase 2, under the Proposal option, I only use the 3DES-MD5 setting. I have used this successfully before for the USG Flex200 firewall (the configuration of the remote site has not changed).

Can there be a difference between the USG Felx200 and 500? Maybe 3DES-MD5 algorithms are handled differently?

Thanks!


All Replies

  • PeterUK
    PeterUK Posts: 2,230
    100 Answers 1000 Comments Friend Collector Sixth Anniversary
     Guru Member
    edited April 2021
    Try with both ends with phase 1 and 2 at AES128 SHA1
  • mMontana
    mMontana Posts: 1,249
    50 Answers 1000 Comments Friend Collector Fourth Anniversary
     Guru Member
    Also, 3DES-MD5 is quite... unsecure....
  • Zyxel_Can
    Zyxel_Can Posts: 342
    25 Answers First Comment Friend Collector
     Zyxel Employee

    Hi @nubira,

     

    Can you check the Proposals and Key groups are same for the both site in Phase 1?

    Can you check the Proposals and Perfect Forward Secrecy are the same for the both site in Phase 2?

    If that doesn’t solve your problem, can you provide me remote access to USG FLEX200 and USG FLEX500 by private message?


  • nubira
    nubira Posts: 14
    First Comment Friend Collector Second Anniversary
    Dear Community,

    I went back to the USG FELX200. The same configuration as on the 500, connects to the remote firewall without an error message in logs (I know 3des-md5 is not secure, but it is supported by the remote site).
    But the traffic is not working:

    As you can see, inbound traffic is zero. What could be the reason for this?

    1. Security Policiy?
    The relevant security policies look like this:


    2. Routing?
    I didn't add a route manually. It would be necessary?

    I still don’t understand it all because this configuration was still working in January (when I tested the Zyxel products). I just bought them and we can’t work with them.

    Thanks
  • nubira
    nubira Posts: 14
    First Comment Friend Collector Second Anniversary
    Hello,

    I found the solution. New security rules were needed:


    When I set it up, the traffic started in the tunnel. Interestingly, there was no need for this in January.

    The point is, it works  :)

    Thanks

Categories

Security Highlight


Read more

Security Help Center

  • FAQ
  • New & Release
  • Monthly Express
  • Threat Intelligence
  • Video Tutorials
    • EnglishTiếng ViệtРусскийไทย中文(台灣)