IPsec VPN "site to site" USG20<-> USG40
Freshman Member
hi
I need a IPsec VPN headquarter USG40 othersite USG20 (firmware 3.30)
In USG40 there is Ikev1 and Ikev2 and I choose Ikev2
in Usg20 There is not Ikev choice.
this is the guide:
https://mysupport.zyxel.com/hc/en-us/articles/360005745060--ZyWALL-USG-How-to-manually-configure-a-Site-to-Site-VPN-tunnel
but it does not work.
what am I doing wrong?
are there any policies to set?
thanks
Damiano
I need a IPsec VPN headquarter USG40 othersite USG20 (firmware 3.30)
In USG40 there is Ikev1 and Ikev2 and I choose Ikev2
in Usg20 There is not Ikev choice.
this is the guide:
https://mysupport.zyxel.com/hc/en-us/articles/360005745060--ZyWALL-USG-How-to-manually-configure-a-Site-to-Site-VPN-tunnel
but it does not work.
what am I doing wrong?
are there any policies to set?
thanks
Damiano
0
All Replies
-
Usg20 does not support IKEv 2 , only IKEv 1.
0 -
hi,
now I configured Ikev1 on usg40 but nothing.
External office USG20 IP lan 192.168.6.0/24
VPN GATEWAY:
name TOHEAD
Interface Wan1
static addres ip headquarters
pre sharedkey MyPassword
sa life time 86400
negotiation main
AES128 SHA1 DH2 (no NAT trasv)
USG VPN connection:
Site to site
VPN Gateway TOHEAD
local policy LAN1_Subnet INTERFACE SUBNET 192.168.6.0/24
remote policy SUBNET 192.168.8.0/24
sa LIFE TIME 86400
ESP
Tunnel
AES128 SHA1 DH2
zone IPSec_VPN
HeadQuarter USG40 IP lan 192.168.8.0/24
VPN GATEWAY:
name TOEXT
Ike version IKEv1
Interface Wan1
static addres ip external office
pre sharedkey MyPassword
sa life time 86400
negotiation main
AES128 SHA1 DH2 (no NAT trasv)
USG VPN connection:
Site to site
VPN Gateway TOEXT
local policy LAN1_Subnet INTERFACE SUBNET 192.168.8.0/24
remote policy SUBNET 192.168.6.0/24
sa LIFE TIME 86400
ESP
Tunnel
AES128 SHA1 DH2
zone IPSec_VPN
all actived, try connect (30 seconds) and not DIAL.
0 -
IKE logs show from both gateways.
0 -
serverpal said:hi,
now I configured Ikev1 on usg40 but nothing.Triple check all the setting for match.The only things that should not match are.Local/Remote subnets into Phase2/VPN Connection (should be switched local to remote and viceversa)Local/Remote ID for Phase1/VPN Gateway (should be switched local to remote and viceversa)Verify that the traffic you need can reach the firewall (Portforwarding, firewall rules, whatever)If one of the two sides of the VPN do not have a static public IP, the scenario should be configured accordingly. And the "dynamic side" should be the one "calling" (nailed-up) and the static one should not.
0 -
hi,
this is IKE log
IKE LOG USG40 HEADQUARTER:12021-11-27 10:40:31infoIKEPeer not reachable192.168.1.237:500XXX.XXX.XXX.XXX:500 (<---IP Static External office)IKE_LOG22021-11-27 10:40:31infoIKEISAKMP SA [VPN_Gateway_Pal2] is disconnected192.168.1.237:500XXX.XXX.XXX.XXX:500 (<---IP Static External office)IKE_LOG32021-11-27 10:40:31infoIKEThe cookie pair is : 0x23023dc0f7cfb265 / 0x0000000000000000192.168.1.237:500XXX.XXX.XXX.XXX:500 (<---IP Static External office)IKE_LOG
IKE LOG USG20 EXTERNAL OFFICE:12021-11-27 09:36:03infoIKEISAKMP SA [Pal1_VPN] is disconnected192.168.1.50:500XXX.XXX.XXX.XXX:500 (<---IP Static HEADQUARTER)IKE_LOG22021-11-27 09:36:03infoIKEThe cookie pair is : 0xe9aa5f403ff41848 / 0x0000000000000000192.168.1.50:500XXX.XXX.XXX.XXX:500 (<---IP Static HEADQUARTER)IKE_LOG0 -
192.168.1.237:500
192.168.1.50:500
May I assume that both firewall have a 192.168.1.0/24 subnet as WAN interface? And there's a NAT device between firewall and internet?
If the answer is yes you should:- on both sides forward UDP ports 500 and 4500 to USGs devices
(check the setting survives to the reboot of the device between internet and the USG) - Enable "NAT Traversal" on both VPN Gateway (Phase 1)
- Don't forget to enable only one VPN Connection (Phase 2) as "nailed up", not on both USGs
1 - on both sides forward UDP ports 500 and 4500 to USGs devices
-
hi, thank you.
there is ISP router between firewall and internet.
on both sides I forwarded UDP and TCP ports 500 and 4500 to USGs devices.
Enable "NAT Traversal" on both VPN Gateway (Phase 1) - DONE
Don't forget to enable only one VPN Connection (Phase 2) as "nailed up", not on both USGs - DONE
now I get connection on both VPNCONNECTION (world icon is ON) but if I ping other LAN I dont get reply (Request timed out).
this is log on USG HEADQUARTER:
0 -
Oh. Italian dude. I'm Italian too. If you will to have professional support in your language...
Check all the info related to the VPN gateway on both sides.0 -
Hi @serverpal,
Please help to check if both USG security policy Wan to Device have service port NATT?
Data traffic cannot pass through if there is no UDP4500 in Wan to Zywall rule.
0 -
hi,
thank you for help.
side External office (subnet 192.168.2.0/24):
Vpn Connection:
Policy:
Ping to HEADQUARTER subnet:
Zyxell Log External Office:
side HEADQUARTER (subnet 192.168.8.0/24):
Vpn connection:
firewall:
and does not work.0
Master Member
Guru Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
