Site-to-site with two Flex 100H
Hi again
I upgraded my setting:
- Office: FritzBox > Flex 100H
- Home: FritzBox > Flex 100H
I have a static IP in both locations and I would like to do a site-to-site VPN with IPsec. At the beginning I tried to just open ESP and UDP 500/4500 and tried to follow the example for a direct connection ("How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP Address" in the handbook). That did not work, so I set the Flex 100Hs as exposed hosts in the Fritzbox. If I type the public IP in the browser I reach them. I again followed the example and then tried to connect, but no success (I used the public IPs as "my address" and "peer gateway address"). It says (also before when I did not have them as exposed hosts):
Command failed: CHILD_SA config 'sec_policy1_OfficeToHome' not found
I can't see anything being blocked in the log. Any idea what's missing?
Edit: never mind, I returned the devices.
All Replies
-
HI,
I have exactly the same problem but with Flex 200H on FW V1.20(ABWV.0)
Built the Tunnel custom, and also with wizard. The same problem. It shows the red Icon for a Problem, but it can't be solved. If you press solve, nothing happens.
I really need help with this.
0 -
Post both ends interface listing and site to site settings
0 -
is it both sides behind NAT? could you provide your VPN configuration?
0 -
both sides routed Subnet without NAT
tripple checked both sides settings:
AES256-SHA512-DH21-86400
AES256-SHA512-DH21-28800
Secret for Testing: Abcd1234 (changed it because I wanted to check if a special Character causes the problems)I also tried other encryptions and also tried misconfiguration on one side, but the behavior won't change
Debug Log on 200H on reconfiguration save shows: yams ERROR zldipsec:216 - params sec_policy1_XXXX
2nd Site USG60 shows on connection attempt No_proposal_choosen in normal Log.
I'd rather not share my complete VPN-config with unmasked IP's at an open board. 😉 idk if PM is here possible.
0 -
I took a look at this support site: https://support.zyxel.eu/hc/de/articles/15718397333906--USG-FLEX-H-Serie-Firewall-Konfigurieren-von-IPSec-Site-To-Site-VPN-auf-der-USG-FLEX-H-Serie-Firewall-mit-dynamischer-IP
I compared the views and settings-options.
On my Firewall there is no option for Active Protocoll or Encapsulation at Phase 2 Policy Settings:
Maybe FW Bug at 1.20 ? I created the tunnels on 1.20.
EDIT: Support tells me, this is by design!!
0 -
OK found the Bug/problem. If you use the char: " in the PSK then this Tunnel and all following configured Tunnels are not working an bringing up the same error, also when the PSK in the following Tunnel is not using this special character.
Support Ticket is opened and Error is confirmed by Support, but want to place an update also here in case someone has the same problem.
1 -
I've got the same problem, also with v1.20 but on a 700H, but without any special characters in my PSK…
0
Guru Member
Zyxel Employee
Freshman Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 383 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
