Site-to-site with two Flex 100H

Options
MWS
MWS Posts: 3
First Comment
edited January 21 in USG FLEX H Series

Hi again

I upgraded my setting:

  • Office: FritzBox > Flex 100H
  • Home: FritzBox > Flex 100H

I have a static IP in both locations and I would like to do a site-to-site VPN with IPsec. At the beginning I tried to just open ESP and UDP 500/4500 and tried to follow the example for a direct connection ("How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP Address" in the handbook). That did not work, so I set the Flex 100Hs as exposed hosts in the Fritzbox. If I type the public IP in the browser I reach them. I again followed the example and then tried to connect, but no success (I used the public IPs as "my address" and "peer gateway address"). It says (also before when I did not have them as exposed hosts):

Command failed: CHILD_SA config 'sec_policy1_OfficeToHome' not found

I can't see anything being blocked in the log. Any idea what's missing?

Edit: never mind, I returned the devices.

All Replies

  • SANIC
    SANIC Posts: 4
    First Comment
    Options

    HI,

    I have exactly the same problem but with Flex 200H on FW V1.20(ABWV.0)

    Built the Tunnel custom, and also with wizard. The same problem. It shows the red Icon for a Problem, but it can't be solved. If you press solve, nothing happens.

    I really need help with this.

  • PeterUK
    PeterUK Posts: 2,846  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Post both ends interface listing and site to site settings

  • Zyxel_James
    Zyxel_James Posts: 625  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    is it both sides behind NAT? could you provide your VPN configuration?

  • SANIC
    SANIC Posts: 4
    First Comment
    edited April 30
    Options

    both sides routed Subnet without NAT
    tripple checked both sides settings:
    AES256-SHA512-DH21-86400
    AES256-SHA512-DH21-28800
    Secret for Testing: Abcd1234 (changed it because I wanted to check if a special Character causes the problems)

    I also tried other encryptions and also tried misconfiguration on one side, but the behavior won't change

    Debug Log on 200H on reconfiguration save shows: yams ERROR zldipsec:216 - params sec_policy1_XXXX

    2nd Site USG60 shows on connection attempt No_proposal_choosen in normal Log.

    I'd rather not share my complete VPN-config with unmasked IP's at an open board. 😉 idk if PM is here possible.

  • SANIC
    SANIC Posts: 4
    First Comment
    edited May 2
    Options

    I took a look at this support site: https://support.zyxel.eu/hc/de/articles/15718397333906--USG-FLEX-H-Serie-Firewall-Konfigurieren-von-IPSec-Site-To-Site-VPN-auf-der-USG-FLEX-H-Serie-Firewall-mit-dynamischer-IP

    I compared the views and settings-options.
    On my Firewall there is no option for Active Protocoll or Encapsulation at Phase 2 Policy Settings:

    grafik.png

    Maybe FW Bug at 1.20 ? I created the tunnels on 1.20.

    EDIT: Support tells me, this is by design!!

  • SANIC
    SANIC Posts: 4
    First Comment
    edited May 2
    Options

    OK found the Bug/problem. If you use the char: " in the PSK then this Tunnel and all following configured Tunnels are not working an bringing up the same error, also when the PSK in the following Tunnel is not using this special character.

    Support Ticket is opened and Error is confirmed by Support, but want to place an update also here in case someone has the same problem.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)