Multiple S2S VPNs with AWS can't established after internet break

13

All Replies

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment

    Hi @Wojtas,

    Thank you for your feedback.

    When you connect strongswan with your mobile phone, can Windows PC connect to USG210's L2TP?

    In the provided log, we see that

    2021-06-09 13:40:46,

     

    5.173.121.215:4969 ,USG_IP:500 , info ,ike ,IKE_LOG , , , , Receiving IKEv2 request

    Do you use strongswan software to connect with your USG210 or with another server?
    What is the strongswan's VPN type?

    In the screenshot you provided, there's a TEST_IKEv2_Tunnel. What is the purpose of this? Can you inactivate and test it again?

    If you can always reproduce this symptom, can you clear your log(Monitor > Log > Clear)
    , reproduce this symptom and send me the clean log output(ike, ipsec vpn and l2tp vpn log as before) by private message?


  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    I have an L2TP VPN working, and people use it all time. I configured IKEv2 only for tests (TEST_IKEv2_Tunnel). When I made a connection from Windows10 (WiFI from my mobile phone) everything worked, but when I tried to connect from Android (stronswarm is needed because android nativli doesn't support IKEv2) I killed my IKEv2 tunnels to AWS.

    I use strongswan software to connect with USG210 only, VPN type was IKEv2.

    I tried to connect from strongSwarm two times and always tunnels to AWS goes down.

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment

    Hi @Wojtas,


    Could you share TEST_IKEv2_Tunnel VPN’s configuration’s screenshots with me?
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    Hi, @Zyxel_Can

    Sure, screens already sent by PM.
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    Hi, @Zyxel_Can

    Have you some news for me? I would like to switch all my users to IKEv2 C2S VPN tunnel, but I can't because I can't use it for mobile phones... :anguished:

  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    edited June 2021
    hello, @Zyxel_Can

    I have next, interesting observations. When I had set up IKEv2 C2S VPN with only one type of encryption in both phases, and tried connect from Windows 10,  USG in phase 2 chose wrong VPN connection. More screens in PM.

    EDIT:

    I don't know why, but IKEv2 C2S VPN working ONLY in configuration describe in this scenario:

    https://mysupport.zyxel.com/hc/en-us/articles/360005744000--ZyWALL-USG-How-to-set-up-a-Client-to-Site-VPN-Configuration-Payload-DHCP-connection-using-IKEv2

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Hi @Wojtas,

    Thank you for sharing information with us.

    When you broadcasting hotspot wifi signal from your Android smartphone,
    If you press connect button on strongswan software does your smartphone connect to your USG210 successfully via IKEv2 VPN?

    Does the IKEv2 tunnel between Android smartphone and USG210 build successfully?

    If so, can you please share Monitor > VPN Monitor > IPSec menu’s screenshot with me?




    Also, can you please provide me following information by private message:

    1- Remote admin access to your USG210
    2- Remote desktop(AnyDesk/Team Viewer) access to a Windows PC in your AD

    I would like to test this symptom for Strongswan and Win10 clients. 
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    Hi @Zyxel_Can


    I not broadcasting WiFi from my android smartphone, when I testing strongSwarm. I can't connect to USG, the IKEv2 tunnel has not built.

    I can't give you remote admin access to my USG, but I can preper Windows 10 laptop with TeamViewer, and limited-admin access, but we have to agree some maitancance window.
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment

    Hi @Wojtas,

     

    Thank you for your feedback.

    Please kindly provide limited-admin account of your USG210, remote desktop information to Windows 10 laptop and maintenance window details to me by private message.


  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    Hi @Zyxel_Can

    I probably fixed it . The issue for the tunnels to AWS was the wrong DH group and encryption algorithms, when I had changed it to DH14 and AES128-SHA256 in both phases, the tunnels started working normally (enegotiation time  is pretty fast, and all tunnels go to UP). I suppose that the reason for the issue in tunnel negotiation was in the DH group only, i will change AWS128-SHA256 to AES256-SHA256 in a few weeks, now I need some time for tests.

    About the Client to Server IKEv2 tunnel, it started working too but I am still able to break another IKEv2 tunnel during tunnel initialization. Let's say that for C2S I have AES-256 with SHA-256 and DH14, the same settings for both phases. When I set on my Windows laptop IKEv2 VPN connection with parameters: AES-256, SHA-256, DH14 in phase 1, and AES-256, SHA-256, DH = None in phase 2, and I will try connect to USG, then I will break already established tunnel on first place on IPSec tunnel list. I don't know why... Fortunately after changes from the first acapit of this post, the tunnel came back really quickly.. 

Security Highlight