VPN solution with USG20-VPN and Fritzbox
All Replies
-
Thanks a lot @PeterUK , that works perfect. I also added the Key groups DH14 and DH19 groups in Phase 1 to enable VPN from iOS. With DH2 it did not work for me.
As I now have a more secure feeling I would like to ask if anybody of you worries about the connections attempts in the monitor logs from other countries? Since the VPN gateway is enabled I see connection attempts in the logs like this which is definetly not mine. Is that anything I have to worry about?
0 -
Exposing any port is a risk but if your patched it fine.
If you want to up the security you can have your clients run DDNS and on your side allow from source them FQDN to Zywall works really well.
0 -
Hi @Zyxel_James ,
thanks for your answer and the instruction link. I checked it and it works to get the configuration from the server, but no connection can be established. Here is what the IKE logs says:
6
2024-01-04 10:38:04
info
IKE
IKE SA [VPN_Home] is disconnected
192.168.10.153:500
80.187.120.128:500
IKE_LOG
7
2024-01-04 10:38:04
info
IKE
The cookie pair is : 0x8fa5b15cd3cbf7bd / 0x187b653fb168338d
192.168.10.153:500
80.187.120.128:500
IKE_LOG
16
2024-01-04 10:37:46
info
IKE
IKE SA [VPN_Home] is disconnected
192.168.10.153:500
80.187.120.128:500
IKE_LOG
17
2024-01-04 10:37:46
info
IKE
The cookie pair is : 0xdb227cc9faba3f7d / 0x2bd4af28c484e1fc
192.168.10.153:500
80.187.120.128:500
IKE_LOG
19
2024-01-04 10:37:32
info
IKE
IPsec SA negotiation failed
192.168.10.153:500
80.187.120.128:500
IKE_LOG
20
2024-01-04 10:37:32
info
IKE
[AUTH] Recv:[IDi][AUTH][SA][TSi][TSr][NOTIFY][NOTIFY]
80.187.120.128:4500
192.168.10.153:4500
IKE_LOG
21
2024-01-04 10:37:32
info
IKE
The cookie pair is : 0x187b653fb168338d / 0x8fa5b15cd3cbf7bd
80.187.120.128:4500
192.168.10.153:4500
IKE_LOG
22
2024-01-04 10:37:32
info
IKE
[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID]
192.168.10.153:500
80.187.120.128:500
IKE_LOG
23
2024-01-04 10:37:32
info
IKE
The cookie pair is : 0x8fa5b15cd3cbf7bd / 0x187b653fb168338d [count=2]
192.168.10.153:500
80.187.120.128:500
IKE_LOG
24
2024-01-04 10:37:32
info
IKE
Recv IKE sa: SA([0] protocol = IKE (1), spi_len = 8, spi = 0x8fa5b15c d3cbf7bd, AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 521 bit ECP, 384 bit ECP, 256 bit ECP, 8192 bit MODP, 6144 bit MODP, 4096 bit MODP, 3072 bit MODP, 2048 bit MODP, 1536
80.187.120.128:500
192.168.10.153:500
IKE_LOG
25
2024-01-04 10:37:32
info
IKE
The cookie pair is : 0x187b653fb168338d / 0x8fa5b15cd3cbf7bd [count=2]
80.187.120.128:500
192.168.10.153:500
IKE_LOG
26
2024-01-04 10:37:32
info
IKE
IKE SA [VPN_Home] is disconnected
192.168.10.153:500
80.187.120.128:500
IKE_LOG
27
2024-01-04 10:37:32
info
IKE
The cookie pair is : 0x23ab84b2fe0eacf7 / 0xdaf4ccf9d50fc3f1
192.168.10.153:500
80.187.120.128:500
IKE_LOG
28
2024-01-04 10:37:32
info
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 521 bit ECP, 384 bit ECP, 256 bit ECP, 8192 bit MODP, 6144 bit MODP, 4096 bit MODP, 3072 bit MODP, 2048 bit MODP, 1536 bit MODP, 1024 bit MODP, 768 bit MODP;
80.187.120.128:500
192.168.10.153:500
IKE_LOG
29
2024-01-04 10:37:32
info
IKE
[INIT] Recv: [SA][NONCE][NOTIFY][NOTIFY][KE][VID] [count=2]
80.187.120.128:500
192.168.10.153:500
IKE_LOG
30
2024-01-04 10:37:32
info
IKE
Receiving IKEv2 request [count=2]
80.187.120.128:500
192.168.10.153:500
IKE_LOG
31
2024-01-04 10:37:32
info
IKE
The cookie pair is : 0xdaf4ccf9d50fc3f1 / 0x23ab84b2fe0eacf7 [count=2]
80.187.120.128:500
192.168.10.153:500
IKE_LOG
33
2024-01-04 10:37:14
info
IKE
IPsec SA negotiation failed
192.168.10.153:500
80.187.120.128:500
IKE_LOG
34
2024-01-04 10:37:14
info
IKE
[AUTH] Recv:[IDi][AUTH][SA][TSi][TSr][NOTIFY][NOTIFY]
80.187.120.128:4500
192.168.10.153:4500
IKE_LOG
35
2024-01-04 10:37:14
info
IKE
The cookie pair is : 0x2bd4af28c484e1fc / 0xdb227cc9faba3f7d
80.187.120.128:4500
192.168.10.153:4500
IKE_LOG
36
2024-01-04 10:37:14
info
IKE
[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID]
192.168.10.153:500
80.187.120.128:500
IKE_LOG
37
2024-01-04 10:37:14
info
IKE
The cookie pair is : 0xdb227cc9faba3f7d / 0x2bd4af28c484e1fc [count=2]
192.168.10.153:500
80.187.120.128:500
IKE_LOG
38
2024-01-04 10:37:13
info
IKE
Recv IKE sa: SA([0] protocol = IKE (1), spi_len = 8, spi = 0xdb227cc9 faba3f7d, AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 521 bit ECP, 384 bit ECP, 256 bit ECP, 8192 bit MODP, 6144 bit MODP, 4096 bit MODP, 3072 bit MODP, 2048 bit MODP, 1536
80.187.120.128:500
192.168.10.153:500
IKE_LOG
39
2024-01-04 10:37:13
info
IKE
The cookie pair is : 0x2bd4af28c484e1fc / 0xdb227cc9faba3f7d [count=2]
80.187.120.128:500
192.168.10.153:500
IKE_LOG
40
2024-01-04 10:37:13
info
IKE
IKE SA [VPN_Home] is disconnected
192.168.10.153:500
80.187.120.128:500
IKE_LOG
41
2024-01-04 10:37:13
info
IKE
The cookie pair is : 0x2c1cf186d4a913f5 / 0x7223966460b10d98
192.168.10.153:500
80.187.120.128:500
IKE_LOG
42
2024-01-04 10:37:13
info
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 521 bit ECP, 384 bit ECP, 256 bit ECP, 8192 bit MODP, 6144 bit MODP, 4096 bit MODP, 3072 bit MODP, 2048 bit MODP, 1536 bit MODP, 1024 bit MODP, 768 bit MODP;
80.187.120.128:500
192.168.10.153:500
IKE_LOG
43
2024-01-04 10:37:13
info
IKE
[INIT] Recv: [SA][NONCE][NOTIFY][NOTIFY][KE][VID] [count=2]
80.187.120.128:500
192.168.10.153:500
IKE_LOG
44
2024-01-04 10:37:13
info
IKE
Receiving IKEv2 request [count=2]
80.187.120.128:500
192.168.10.153:500
IKE_LOG
45
2024-01-04 10:37:13
info
IKE
The cookie pair is : 0x7223966460b10d98 / 0x2c1cf186d4a913f5 [count=2]
80.187.120.128:500
192.168.10.153:500
0 -
6
2024-01-04 10:38:04
info
IKE
IKE SA [VPN_Home] is disconnected
192.168.10.153:500
80.187.120.128:500
IKE_LOG
0 -
PeterUK game some good insider stuff for modifying the encryption on the Windows client.
Here's some steps for a Windows 10 vpn client.
L2TP-Windows 10
- Click Windows Start Icon
- Click Settings Gear on left of popup window
- Click Network and Internet
- Click VPN on left panel
- Click [+] Add a VPN Connection
- VPN Provider
-Select Built in (from list)
-Connection Name enter: name your l2tp connection-Server Name or Address enter: (ip of USG router)
-VPN Type: L2TP/IPSEC with preshared key
(When selected Preshared key text box will appear)
-Preshared key enter: (enter the pre-shared key you created on your usg router l2tp gateway)-Type of sign-in info: User name and password
-User name enter: (name of user created on the USG /Object User)
-Password enter: (password of user created on the USG /Object User)
Save Connection
Sounds like you have this solved, just adding to the pot.
0
Guru Member
Ally Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 238 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
