Site-to-site VPN between Zywall 110 and MS Azure
Freshman Member
I am setting up a Site-to-Site VPN between my small office and MS Azure. The office network is behind a NAT in the Zywall 110 since we have multiple public IP addresses for some outward facing servers. I have seen references to Policy Based and Route based VPN. Which is better?
[Update]
I used the Quick Setup wizard, which generated a Policy Based Site-to-Site VPN. The MS Azure connection stays in a "connecting" status and the Zywall never goes to connected status. If I click the Connect button for the connection, it times out. I am guessing something isn't in sync between the two configuration, but I don't see what it is.
Here is the Zywall configuration:
Gateway
Connection:
The Azure settings are:
Azure Vnet Address space:
Vnet subnets:
Vnet Gateway:
Local Net Gateway:
Connection:
Any wisdom would be appreciated.
Eric
Accepted Solution
-
The logs show "Phase 1 Peer ID mismatch" and "No proposal chosen", please check if the phase 1/2 algorithms have corresponded, and the Local/Peer ID seems incorrect too. Please show the encrypted algorithms of phase1/2.
Moreover, is your firewall behind NAT?
0
Zyxel Employee
All Replies
-
Here is a knowledge base article for your reference
https://support.zyxel.eu/hc/en-us/articles/360001524813-VPN-Configure-Site-to-site-IPSec-VPN-with-Microsoft-MS-Azure-#h_01GM2Y0XGGSWR8QC896WNS1D1X
To troubleshoot the site-to-site VPN connection, please provide the VPN-related logs, thanks.
0 -
Thanks. I'll look through this.
0 -
That knowledge base article is the one I used to set up the VPN (Azure & ZyWall). I went ahead and deleted my configuration and Reconfigured both environments. I have included screen shots of the IKE log from the ZyWall 110 as well as the configurations of both environments. I did the screen shots of the log because I found the e-mail of the log difficult to read. I didn't see any other options to get the log.
IKE Log:
ZyWall Gateway:
ZyWall Connection:
Azure Vnet Address Space:
Azure Vnet Subnets:
Azure Local Gateway:
Azure Vnet Gateway:
Azure Connection:
Thank you.
0 -
The logs show "Phase 1 Peer ID mismatch" and "No proposal chosen", please check if the phase 1/2 algorithms have corresponded, and the Local/Peer ID seems incorrect too. Please show the encrypted algorithms of phase1/2.
Moreover, is your firewall behind NAT?
0 -
Hi @EricLogsdon ,
I do recommend to use route-based IPSec VPN instead of policy-based VPN which is limited for link to cloud service and not easy to trouble shoot.
Also, I think Zyxel obsoleted the policy-based KB by route-based.
0 -
The Phase1/Phase2 algorithms match. I saw the remote peer id was a prior IP address. I updated that. The ZyWall 110 is not behind a NAT, should I disable NATT?
As it stands now, changing the peer id resolved my connection issue. And I am able to communicate into the Azure Vnet.
0 -
I will take a look at that.
0
Master Member
Categories
- All Categories
- 398 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 83 Nebula Status and Incidents
- 5.2K Security
- 99 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 923 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 213 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.1K FAQ
- 1K Nebula FAQ
- 445 Security FAQ
- 238 Switch FAQ
- 213 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 142 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
