USG 500 FLEX: IPSec Site-to-Site behind Double NAT only possible in Aggressive Mode?
With our previously used Draytek Vigor 3910 it was possible to establish an IPSec Site-to-Site VPN connection in Main Mode even behind a double NAT, that is: The Draytek was connected to another (CPE) router for Docsis Internet access. Now the USG 500 FLEX is connected to that same Docsis router but seems to not being able to establish a connection. I believe the Draytek could just send the IP that was manually entered in the connection setup. Could it be that the USG 500 can only send the IP which is actually bound to the respective WAN port (a local address given out by the Docsis router in this case) and that with this configuration an IPSec connection is only possible in Aggressive Mode?
0
All Replies
-
Hi @SAMJUN,
Welcome to Zyxel community.
Assume FLEX500 is behind a NAT device, you need to add port mapping on NAT device to forward traffic IKE/ESP/NATT(UDP4500).
Can you post FLEX500 VPN IKE log?
Monitor > Log > View Log
0 -
Beforeinternet <--> Docsis <----> DraytekVPN OKNowinternet <--> Docsis <----> USG 500 FlexVPN KO.Am I correct?Does USG500 Flex wait for interconnection or actively connect to the other endpoint?
0 -
@mMontana, It depends on Peer Gateway Address, if FLEX VPN phase 1 peer gateway is dynamic IP, it will run as responder role,VPN phase 1 Peer Gateway Address is static IP <= Initiator roleVPN phase 1 Peer Gateway Address is Dynamic Address <= Responder roleHi @SAMJUN,BTW, Can you also take a screenshot of Draytek "lan to lan" profile? (Mask your public IP)With Draytek settings, we can know how to adjust settings in Flex 500.0
-
Sorry, @Zyxel_Cooldia, I forgot to mention @SAMJUN. Question was for that user.I have to use the "nailed up" setting behind a Carrier-grade NAT.Have a nice day.0
-
@Zyxel_Cooldia Thanks for the warm welcome!
The USG 500 is a DMZ host of the first NAT router so it is passing everything right through to the USG 500.
@mMontana That's correct, yes.
This is the working LAN to LAN profile in the Vigor:
I will extract some IKE logs as soon as possible and post it here, too.0 -
The draytek seems dial In. So it waits the connection from the counterpart. In the zyxel the Nailed up setting is enabled?I see no reference for PFS/Diffie-Hellman into the Vigor. It's hidden under some buttons? If the device does not support that flavour, is PFS disabled on the Zyxel?Last but not least: is NAT Traversal enabled on the Zyxel?0
-
Hi @SAMJUN,Can you help to post FLEX VPN IKE log? We would like to check IKE negotiation log.0
-
Yes, the PFS settings are hidden behind the 'Advanced' button. But that's only affecting dial-out connections. For incoming connections the Draytek seems to accept any combination of these parameters which are listed under 'IPSec General Setup':mMontana said:The draytek seems dial In. So it waits the connection from the counterpart. In the zyxel the Nailed up setting is enabled?I see no reference for PFS/Diffie-Hellman into the Vigor. It's hidden under some buttons? If the device does not support that flavour, is PFS disabled on the Zyxel?Last but not least: is NAT Traversal enabled on the Zyxel?
'Nailed up' and NAT Traversal are enabled.0 -
I'll have another chance at testing in the next few days. I will then post some logs. Thanks thus far!Zyxel_Cooldia said:Hi @SAMJUN,Can you help to post FLEX VPN IKE log? We would like to check IKE negotiation log.0 -
@SAMJUN the "basic" list of accepted Encryption, HMAC, DH and AH is... pretty wide. In my personal opinion, a bit too much.This will ease a lot the configuration moment with drayek devices, but on the other hand might lead to several negotiation (and security, more on that later) issues: if devices cannot handshake a "common ground" about parameters, the caller could simply said "too many retries" and give up.This is the cue-in for aggressive mode, which more or less skip handshaking and accepts pretty much anything is proposed. If the IPsec communication is narrowed to the only/few static addresses expected to call, that's fine and no concern at all. If it's expected to receive contact from the whole internet because of roaming clients, I personally won't allow aggressive negotiation.Security point has been already introduced talking about aggressive mode, but now comes to the encryption. In 2022, DES and 3DES are secure as much as PPTP, so no security at all. DES was retired in 2005, 3DES in 2018, AES was introduced in 2001.Allowing any DES version (DES, 3DES, TwoWay DES) is no security thinking for todan nor for tomorrow, as my personal opinion and practice. This doesn't mean that any IPSec VPN DES based won't work, it's simply not a wise choice for me.I suggest you to take a bit more tinkering narrowing the options and preferring securer ones. If the Draytek will allow you only to chose among three presets, pick medium or high, note down encryption, HMAC, DH possible and put the simplest among these one into your USG500.6
Zyxel Employee
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
