VPN solution with USG20-VPN and Fritzbox

2»

All Replies

  • kawer83
    kawer83 Posts: 6
    First Comment Friend Collector

    Thanks a lot @PeterUK , that works perfect. I also added the Key groups DH14 and DH19 groups in Phase 1 to enable VPN from iOS. With DH2 it did not work for me.

    As I now have a more secure feeling I would like to ask if anybody of you worries about the connections attempts in the monitor logs from other countries? Since the VPN gateway is enabled I see connection attempts in the logs like this which is definetly not mine. Is that anything I have to worry about?

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 5

    Exposing any port is a risk but if your patched it fine.

    If you want to up the security you can have your clients run DDNS and on your side allow from source them FQDN to Zywall works really well.

  • kawer83
    kawer83 Posts: 6
    First Comment Friend Collector

    Hi @Zyxel_James ,

    thanks for your answer and the instruction link. I checked it and it works to get the configuration from the server, but no connection can be established. Here is what the IKE logs says:

    6

    2024-01-04 10:38:04

    info

    IKE

    IKE SA [VPN_Home] is disconnected

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    7

    2024-01-04 10:38:04

    info

    IKE

    The cookie pair is : 0x8fa5b15cd3cbf7bd / 0x187b653fb168338d

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    16

    2024-01-04 10:37:46

    info

    IKE

    IKE SA [VPN_Home] is disconnected

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    17

    2024-01-04 10:37:46

    info

    IKE

    The cookie pair is : 0xdb227cc9faba3f7d / 0x2bd4af28c484e1fc

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    19

    2024-01-04 10:37:32

    info

    IKE

    IPsec SA negotiation failed

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    20

    2024-01-04 10:37:32

    info

    IKE

    [AUTH] Recv:[IDi][AUTH][SA][TSi][TSr][NOTIFY][NOTIFY]

     80.187.120.128:4500

    192.168.10.153:4500

    IKE_LOG

    21

    2024-01-04 10:37:32

    info

    IKE

    The cookie pair is : 0x187b653fb168338d / 0x8fa5b15cd3cbf7bd

     80.187.120.128:4500

    192.168.10.153:4500

    IKE_LOG

    22

    2024-01-04 10:37:32

    info

    IKE

    [INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID]

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    23

    2024-01-04 10:37:32

    info

    IKE

    The cookie pair is : 0x8fa5b15cd3cbf7bd / 0x187b653fb168338d [count=2]

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    24

    2024-01-04 10:37:32

    info

    IKE

    Recv IKE sa: SA([0] protocol = IKE (1), spi_len = 8, spi = 0x8fa5b15c d3cbf7bd, AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 521 bit ECP, 384 bit ECP, 256 bit ECP, 8192 bit MODP, 6144 bit MODP, 4096 bit MODP, 3072 bit MODP, 2048 bit MODP, 1536

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    25

    2024-01-04 10:37:32

    info

    IKE

    The cookie pair is : 0x187b653fb168338d / 0x8fa5b15cd3cbf7bd [count=2]

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    26

    2024-01-04 10:37:32

    info

    IKE

    IKE SA [VPN_Home] is disconnected

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    27

    2024-01-04 10:37:32

    info

    IKE

    The cookie pair is : 0x23ab84b2fe0eacf7 / 0xdaf4ccf9d50fc3f1

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    28

    2024-01-04 10:37:32

    info

    IKE

    Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 521 bit ECP, 384 bit ECP, 256 bit ECP, 8192 bit MODP, 6144 bit MODP, 4096 bit MODP, 3072 bit MODP, 2048 bit MODP, 1536 bit MODP, 1024 bit MODP, 768 bit MODP;

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    29

    2024-01-04 10:37:32

    info

    IKE

    [INIT] Recv: [SA][NONCE][NOTIFY][NOTIFY][KE][VID] [count=2]

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    30

    2024-01-04 10:37:32

    info

    IKE

    Receiving IKEv2 request [count=2]

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    31

    2024-01-04 10:37:32

    info

    IKE

    The cookie pair is : 0xdaf4ccf9d50fc3f1 / 0x23ab84b2fe0eacf7 [count=2]

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    33

    2024-01-04 10:37:14

    info

    IKE

    IPsec SA negotiation failed

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    34

    2024-01-04 10:37:14

    info

    IKE

    [AUTH] Recv:[IDi][AUTH][SA][TSi][TSr][NOTIFY][NOTIFY]

     80.187.120.128:4500

    192.168.10.153:4500

    IKE_LOG

    35

    2024-01-04 10:37:14

    info

    IKE

    The cookie pair is : 0x2bd4af28c484e1fc / 0xdb227cc9faba3f7d

     80.187.120.128:4500

    192.168.10.153:4500

    IKE_LOG

    36

    2024-01-04 10:37:14

    info

    IKE

    [INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID]

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    37

    2024-01-04 10:37:14

    info

    IKE

    The cookie pair is : 0xdb227cc9faba3f7d / 0x2bd4af28c484e1fc [count=2]

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    38

    2024-01-04 10:37:13

    info

    IKE

    Recv IKE sa: SA([0] protocol = IKE (1), spi_len = 8, spi = 0xdb227cc9 faba3f7d, AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 521 bit ECP, 384 bit ECP, 256 bit ECP, 8192 bit MODP, 6144 bit MODP, 4096 bit MODP, 3072 bit MODP, 2048 bit MODP, 1536

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    39

    2024-01-04 10:37:13

    info

    IKE

    The cookie pair is : 0x2bd4af28c484e1fc / 0xdb227cc9faba3f7d [count=2]

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    40

    2024-01-04 10:37:13

    info

    IKE

    IKE SA [VPN_Home] is disconnected

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    41

    2024-01-04 10:37:13

    info

    IKE

    The cookie pair is : 0x2c1cf186d4a913f5 / 0x7223966460b10d98

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

    42

    2024-01-04 10:37:13

    info

    IKE

    Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 521 bit ECP, 384 bit ECP, 256 bit ECP, 8192 bit MODP, 6144 bit MODP, 4096 bit MODP, 3072 bit MODP, 2048 bit MODP, 1536 bit MODP, 1024 bit MODP, 768 bit MODP;

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    43

    2024-01-04 10:37:13

    info

    IKE

    [INIT] Recv: [SA][NONCE][NOTIFY][NOTIFY][KE][VID] [count=2]

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    44

    2024-01-04 10:37:13

    info

    IKE

    Receiving IKEv2 request [count=2]

     80.187.120.128:500

    192.168.10.153:500

    IKE_LOG

    45

    2024-01-04 10:37:13

    info

    IKE

    The cookie pair is : 0x7223966460b10d98 / 0x2c1cf186d4a913f5 [count=2]

     80.187.120.128:500

    192.168.10.153:500

  • kawer83
    kawer83 Posts: 6
    First Comment Friend Collector

    6

    2024-01-04 10:38:04

    info

    IKE

    IKE SA [VPN_Home] is disconnected

    192.168.10.153:500

     80.187.120.128:500

    IKE_LOG

  • mm_bret
    mm_bret Posts: 63  Ally Member
    First Comment Fourth Anniversary

    PeterUK game some good insider stuff for modifying the encryption on the Windows client.

    Here's some steps for a Windows 10 vpn client.

    L2TP-Windows 10

    1. Click Windows Start Icon
    2. Click Settings Gear on left of popup window
    3. Click Network and Internet
    4. Click VPN on left panel
    5. Click [+] Add a VPN Connection
    6. VPN Provider
      -Select Built in (from list)
      -Connection Name enter: name your l2tp connection-Server Name or Address enter: (ip of USG router)
      -VPN Type: L2TP/IPSEC with preshared key
      (When selected Preshared key text box will appear)
      -Preshared key enter: (enter the pre-shared key you created on your usg router l2tp gateway)-Type of sign-in info: User name and password
      -User name enter: (name of user created on the USG /Object User)
      -Password enter: (password of user created on the USG /Object User)
      Save Connection

    Sounds like you have this solved, just adding to the pot.

Security Highlight