Site-to-site with two Flex 100H

MWS
MWS Posts: 3
First Comment
edited January 21 in USG FLEX H Series

Hi again

I upgraded my setting:

  • Office: FritzBox > Flex 100H
  • Home: FritzBox > Flex 100H

I have a static IP in both locations and I would like to do a site-to-site VPN with IPsec. At the beginning I tried to just open ESP and UDP 500/4500 and tried to follow the example for a direct connection ("How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP Address" in the handbook). That did not work, so I set the Flex 100Hs as exposed hosts in the Fritzbox. If I type the public IP in the browser I reach them. I again followed the example and then tried to connect, but no success (I used the public IPs as "my address" and "peer gateway address"). It says (also before when I did not have them as exposed hosts):

Command failed: CHILD_SA config 'sec_policy1_OfficeToHome' not found

I can't see anything being blocked in the log. Any idea what's missing?

Edit: never mind, I returned the devices.

All Replies

  • SANIC
    SANIC Posts: 5
    First Comment

    HI,

    I have exactly the same problem but with Flex 200H on FW V1.20(ABWV.0)

    Built the Tunnel custom, and also with wizard. The same problem. It shows the red Icon for a Problem, but it can't be solved. If you press solve, nothing happens.

    I really need help with this.

  • PeterUK
    PeterUK Posts: 3,348  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Post both ends interface listing and site to site settings

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    is it both sides behind NAT? could you provide your VPN configuration?

  • SANIC
    SANIC Posts: 5
    First Comment
    edited April 30

    both sides routed Subnet without NAT
    tripple checked both sides settings:
    AES256-SHA512-DH21-86400
    AES256-SHA512-DH21-28800
    Secret for Testing: Abcd1234 (changed it because I wanted to check if a special Character causes the problems)

    I also tried other encryptions and also tried misconfiguration on one side, but the behavior won't change

    Debug Log on 200H on reconfiguration save shows: yams ERROR zldipsec:216 - params sec_policy1_XXXX

    2nd Site USG60 shows on connection attempt No_proposal_choosen in normal Log.

    I'd rather not share my complete VPN-config with unmasked IP's at an open board. 😉 idk if PM is here possible.

  • SANIC
    SANIC Posts: 5
    First Comment
    edited May 2

    I took a look at this support site: https://support.zyxel.eu/hc/de/articles/15718397333906--USG-FLEX-H-Serie-Firewall-Konfigurieren-von-IPSec-Site-To-Site-VPN-auf-der-USG-FLEX-H-Serie-Firewall-mit-dynamischer-IP

    I compared the views and settings-options.
    On my Firewall there is no option for Active Protocoll or Encapsulation at Phase 2 Policy Settings:

    Maybe FW Bug at 1.20 ? I created the tunnels on 1.20.

    EDIT: Support tells me, this is by design!!

  • SANIC
    SANIC Posts: 5
    First Comment
    edited May 2

    OK found the Bug/problem. If you use the char: " in the PSK then this Tunnel and all following configured Tunnels are not working an bringing up the same error, also when the PSK in the following Tunnel is not using this special character.

    Support Ticket is opened and Error is confirmed by Support, but want to place an update also here in case someone has the same problem.

  • Rathos
    Rathos Posts: 5  Freshman Member
    Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Security First Comment

    I've got the same problem, also with v1.20 but on a 700H, but without any special characters in my PSK…