USG20W : only one user can connect to IPSEC gateway
Freshman Member
Hi,
We have an USG20W with the latest 4.65 firmware.
We have the feeling that the issue is relatively new, but we can't prove it (twe had in June/July a big gap upgrade to the 4.62)
When a first user connects to the IPSEC GW : everything is fine
When a second user connects, both connections become very unstable, but not toatally dead
When a third user connects, all connections are totally uneffective
USG CPU usage is high with 2 users (96/98%)
Some details (USG adress has been replaced with X.X.X.X) :
IPSEC USG configuration :
Strongswan client configuration
Any idea ?
Franck
We have an USG20W with the latest 4.65 firmware.
We have the feeling that the issue is relatively new, but we can't prove it (twe had in June/July a big gap upgrade to the 4.62)
When a first user connects to the IPSEC GW : everything is fine
When a second user connects, both connections become very unstable, but not toatally dead
When a third user connects, all connections are totally uneffective
USG CPU usage is high with 2 users (96/98%)
Some details (USG adress has been replaced with X.X.X.X) :
IPSEC USG configuration :
crypto map VPN_Sotbridge
activate
adjust-mss auto
ipsec-isakmp VPN_Softbridge
scenario remote-access-server
encapsulation tunnel
transform-set esp-des-sha
set security-association lifetime seconds 86400
set pfs none
local-policy LAN1_SUBNET
remote-policy any
no conn-check activate
!
!
ikev2 policy VPN_Softbridge_Ike2
deactivate
local-ip interface wan1
peer-ip 0.0.0.0 0.0.0.0
authentication pre-share
encrypted-keystring ********
local-id type fqdn server
peer-id type fqdn client
fall-back-check-interval 300
lifetime 86400
group1
transform-set des-md5
dpd-interval 30
Strongswan client configuration
conn softbridge
left=%defaultroute
#left=%any
#leftsourceip=%config
#leftsourceip=192.168.50.100
leftsubnet=192.168.43.0/24
leftid=1.1.1.1
right=X.X.X.X
rightid=1.1.1.1
rightsubnet=192.168.50.0/24
authby=psk
dpdaction=restart
aggressive=no
ikelifetime=1h
ike=des-md5-modp768
esp=des-sha1
keyexchange=ikev1
compress=yes
modeconfig=pull
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
type=tunnel
auto=start
closeaction=restart
Charon log on an unstable client (looping)
Aug 16 13:27:16 dev10 charon-custom: 07[ENC] parsed INFORMATIONAL_V1 request 824554252 [ HASH D ]
Aug 16 13:27:16 dev10 charon-custom: 07[IKE] received DELETE for ESP CHILD_SA with SPI 1f2cb2ae
Aug 16 13:27:16 dev10 charon-custom: 07[IKE] closing CHILD_SA softbridge{104} with SPIs ce41fc8b_i (0 bytes) 1f2cb2ae_o (0 bytes) and TS 192.168.43.0/24 === 192.168.50.0/24
Aug 16 13:27:16 dev10 charon-custom: 07[ENC] generating QUICK_MODE request 72507943 [ HASH SA No ID ID ]
Aug 16 13:27:16 dev10 charon-custom: 07[NET] sending packet: from 192.168.43.193[4500] to X.X.X.X[4500] (292 bytes)
Aug 16 13:27:16 dev10 charon-custom: 11[NET] received packet: from X.X.X.X[4500] to 192.168.43.193[4500] (68 bytes)
Aug 16 13:27:16 dev10 charon-custom: 11[ENC] parsed INFORMATIONAL_V1 request 799614619 [ HASH D ]
May be the same problem : https://community.zyxel.com/en/discussion/9620/vpn-ipsec-works-for-only-1-2-user-no-more
Any idea ?
Franck
0
All Replies
-
Is it client to site VPN or site to site VPN in your scenario?
If I remember correctly, client to site VPN should encapsulate as transport mode, and site to site VPN should be tunnel mode.
My Strongswan client cfg for your reference.
conn shield
left=Y.Y.Y.Y <= client ip
leftid=vpnclient
leftauth=psk
leftauth2=xauth
leftsourceip=%config
leftfirewall=yes
right=X.X.X.X <= USG WAN ip
rightsubnet=192.168.1.0/24 <= USG lan subnet
rightid=X.X.X.X <= USG WAN ip
rightauth=psk
auto=add
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!0 -
Hi lalaland & pohofiwo,
Tx for your answers,
I've made some tests this morning but I could not be able to setup a connection with "transport" mode both side
Note :- This Zyxel doc about client-to-site configuration tells us to setup tunnel mode : https://support.zyxel.eu/hc/en-us/articles/360001378833-VPN-Client-To-Site-Setup-on-USG-ZyWall-Devices
- @lalaland, your example does not precise type, so I assume type is "tunnel" too, which is the default. Is your example for Client-To-Site ?
- Zyxel firmware updates (from 3.something to 4.62 then 4.65)
- Change from Shrew linux VPN client to StrongSwan VPN client (because the Shrew one doesn't build anymore with recent Ubuntu releases)
For the moment, I've switched from ikev1 to ikev2 and I wait for a second user to connect (we are not on the same timezone)
Thanks!
0 -
I was wondering about your settings. Assume your case is client to site VPN. the cfg should not have declaration of leftsubnet.
The configurations looks like site to site VPN scenario settings to me.
This is example for your reference.
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2ClientConfig
0 -
Hi,
I did not have more success with your last example. It's functional, but only for one user
I'm going to try to have support from Zyxel
0 -
Another way to build up VPN tunnels for your reference. It's GUI based, easier to set up VPN tunnel.
The configuration is l2tp over IPSec with user authentication scenario.
Click add to create VPN tunnel
Type gateway IP and username password.
Tick "Enable IPsec tunnel to l2tp host"
Just leave this page as default settings.
0
Ally Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
