ZyWall USG60: VPN IKEv2 Connection using Windows 11?
Hello
I'm trying to connect to my LAN from outside, using a VPN IKEv2 connection as instructed here:
https://mysupport.zyxel.com/hc/en-us/articles/360005744000--ZyWALL-USG-How-to-set-up-a-Client-to-Site-VPN-Configuration-Payload-DHCP-connection-using-IKEv2
I think the security proposals there are obsolete, as Windows uses now other definitions. Has anyone tried this with success, and if yes, what parameters should used?
Error:
[SA] : Tunnel [IKEV2_Connection] Phase 1 proposal mismatch [count=3]
Accepted Solution
-
Yes, all these parameters are OK. Now I've found a solution that's working for me: I installed a trial version of TheGreenBow VPN Client. They use AES-256,SHA-512,DH14 (much safer than old and outdated DH2 and SHA-1!). And guess what? It works perfectly! So I'm gonna using this client and forget the annoying one of Microsoft.
End of story! Anyway thanks a lot for your help Peter!0
All Replies
-
Update: Using AES128 SHA256 instead of AES128 SHA1 seems to be the solution for Phase1 now beeing OK. Anyway I see not entries in the log for Phase2 (good or bad..?), still no connection gets established.
490 2024-12-03 14:17:11 xxxxxxxxxxxx:43655 xxxxxxxxxxxxxxx:500
info ike IKE_LOG
The cookie pair is : 0xd8ce2f7b7c4c423a / 0x190dff86ffa05d3e [count=2]
491 2024-12-03 14:17:11 xxxxxxxxxxxx:43655 xxxxxxxxxxxxxxx:500
info ike IKE_LOG
Receiving IKEv2 request
492 2024-12-03 14:17:11 xxxxxxxxxxxx:43655 xxxxxxxxxxxxxxx:500
info ike IKE_LOG
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][VID][VID][VID][VID]
493 2024-12-03 14:17:11 xxxxxxxxxxxx:43655 xxxxxxxxxxxxxxx:500
info ike IKE_LOG
Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [1] protocol = IKE (1), AES CBC key len = 256,
HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [2] protocol = IKE (1), 3DES, HMAC-SHA256-128, HMAC-SHA256 PRF, 1024 bit M
494 2024-12-03 14:17:11 xxxxxxxxxxxxxx:500 xxxxxxxxxxxxxx:43655
info ike IKE_LOG
The cookie pair is : 0x190dff86ffa05d3e / 0xd8ce2f7b7c4c423a [count=2]
495 2024-12-03 14:17:11 xxxxxxxxxxxxxx:500 xxxxxxxxxxxxxx:43655
info ike IKE_LOG
[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID]
503 2024-12-03 14:17:43 xxxxxxxxxxxxxxx:500 xxxxxxxxxxxxxxx:43655
info ike IKE_LOG
IKE SA [IKEV2_Tunnel] is disconnected0 -
set Local Policy to 0.0.0.0
what are your setting for Phase2?
Do a packet capture for the IP your connecting from when you connect to the VPN you should see fragmented packets and check you get them on the remote end client side
have policy allow from WAN to Zywall and IPSec_VPN to Zywall ports UDP 500, 4500, 1701 and protocol 50
also windows 11 default is
Phase 1 3DES/SHA1 DH2
Phase 2 AES256/SHA1 PFS none
0 -
My configurations are as follows.
VPN-Gateway-Settings:
Name: IKEV2_Tunnel
Interface: wan1
Dynamic Address
Authentication:
Certificate
Peer ID Type: Any
**Phase1 Settings:
SA Life Time:86400
Proposal:
1 3DES SHA1
2 AES128 MD5
3 AES128 SHA256
Key Group: DH2
Exxtended Auth:
Server Mode
AAA Method: default
Allowed User: "vpn-users"VPN-Connection Settings:
Name:IKEV2_Connection
Gateway: Remote Access (Server Role)
VPN Gateway: IKEV2_Tunnel
Local Policy: 0.0.0.0
Enable cfg payload:
IP Addr Pool: IKEV2_Pool
1st DNS: 4.2.2.1
2nd DNS: 8.8.4.4
Allow Traffic Through WAN Zone
**Phase 2 Settings:
SA Lifetime: 86400
Active Protocol: ESP
Encapsulation: Tunnel
Proposal:
1 3DES SHA1
2 AES128 SHA256
3 AES256 SHA1
PFS: none
Zone: IPSec_VPNSecurity Policy:
"WAN to ZYWALL": anySrc, anyDest, Svc:VPN-Ports, any User
VPN-Ports are: UDP500 (IKE),UDP4500 (NATT),UDP1701(L2TP-UTP),TCP 50 (ESP)"IPSEC_VPN to ZYWALL" :anySrc, anyDest, Svc:any, any User
Using a Laptop with Windows 11. Its networks: Only 1 active connection to the internet by using a iPhone connected as hotspot.
iPhone has only a connection over the air to the telephone service provider (no WLAN). So Laptop connects really from outside. Windows firewall is disabled.0 -
ESP is not TCP or UDP
Make a new certificate and test the VPN local to the USG
Are you doing a self sign certificates by IP or Domain Name?
0 -
I''ve made a certificate as shown in the article (link in post # 1). I've got another paid certificate, but it is a wildcard cert(*.company.com). *-certs can't be used in the parameter field "Certificate" in the Tunnel specs. So the self made cert has the name "www.company.com".
("company" is placeholder for real value). So this should not be the problem.>…test the VPN local to the USG
If I connect the Laptop to the local LAN, and try to establish the VPN-connection then I get the following output (latest line at the top):
0 -
you can't use a placeholder must be a real IP or domain name that points to the USG WAN IP that the client VPN uses to connect
0 -
Forgot to mention that my company.com address is registered at DynU. So that's why the Laptop finds the way to the ZyWall's WAN port.
0 -
Ok so that should be fine
can you check the VPN setting
Control Panel\Network and Internet\Network Connections
in security tab that your using Microsoft secured password (EAP-MSCHAP v2)Make sure Phase 2 is just
AES256/SHA1 PFS none
do you have other IKEv2 tunnels setup?
0 -
Yes, all these parameters are OK. Now I've found a solution that's working for me: I installed a trial version of TheGreenBow VPN Client. They use AES-256,SHA-512,DH14 (much safer than old and outdated DH2 and SHA-1!). And guess what? It works perfectly! So I'm gonna using this client and forget the annoying one of Microsoft.
End of story! Anyway thanks a lot for your help Peter!0 -
Well MS VPN works for me and you can change Encryption Method
Set-VpnConnectionIPsecConfiguration (VpnClient) | Microsoft Learn
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight