Connect Zyxel as a client to StrongSwan VPN server
Hi, I have USG Flex 200 and I am trying to connect it as a client to custom strongswan. Goal is to redirect web traffic from local network behing zyxel through remote vpn.
Vpn is cloud-based custom strongswan, so there is some freedom in its configuration in any possible way that might satisfy my usg flex 200. Makes sence to mention, VPN itself works for other clients (at least android).
On the one hand, zyxel offers "client role" during configuration process (so I expect what I want is possible in theory), on the other hand there are not so much materials on this topic.
Currently I was able to pass auth, but it can't assign IP. What can be done to fix it, or solve the problem in the other ways?
Vpn is cloud-based custom strongswan, so there is some freedom in its configuration in any possible way that might satisfy my usg flex 200. Makes sence to mention, VPN itself works for other clients (at least android).
On the one hand, zyxel offers "client role" during configuration process (so I expect what I want is possible in theory), on the other hand there are not so much materials on this topic.
Currently I was able to pass auth, but it can't assign IP. What can be done to fix it, or solve the problem in the other ways?
expected a virtual IP request, sending FAILED_CP_REQUIRED
configuration payload negotiation failed, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
generating IKE_AUTH response 1 [ IDr CERT AUTH N(FAIL_CP_REQ) ]
Also attaching additional information: swan logs, swan config, zyxel vpn gateway, zyxel vpn connection:
Also attaching additional information: swan logs, swan config, zyxel vpn gateway, zyxel vpn connection:
0
All Replies
-
I tried to undrerstand the strongswan config several times.Am I dumb or i cannot see any reference to PFS?0
-
Agree, there is mismatch in usg and strongswan configuration for phase2 (esp) DH group. But (probably) it is not the reason: for example if I change phase1 (ike) DH group, different error will happen earlier, while changing phase2 (esp) DH group does not change anything. Probably error happens before phase 2?
I guess the main reason is 'expected a virtual IP request, sending FAILED_CP_REQUIRED', if I uderstood it correctly, USG does not request virtual IP, not sure how to make it request.
Just in case, dh2 is basically modp1024.0 -
As I know, Zyxel firewall only support as a VPN server for IPSec software client, with
- IKEv1+mode config
- L2TP over IPSec
- IKEv2+EAP-MSCHAPv2+configuration payload.
It not support as an IPSec VPN client using any of the above VPN type.
That means it won't support send mode-config or configuration payload request to VPN server.
You can only create another site-to-site rule on StrongSwan for it.
0 -
Ok, I played around site-to-site solution:
- Tunnel was established (yay!)
- Ping works to both directions: zywall and local pc can ping remote strongswan and vice versa (yay again!)
Problem is how to make internet traffic go through tunnel:
I have remote policy 0.0.0.0/0 and introduce policy route for specific website:Incoming: anySource: anyDestination: [FQDN_address_object]Next-Hop: [VPN_Tunnel]
I can ping this website via its IP and FQDN (www addres) from local pc or from lan interface (and I am sure this ping goes through tunnel), but it does not work via browser. What can be the issue here?
UPD
Ok, it was not a problem, fixed by reboot of strong swan server pc.0
Guru Member
Master Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
