ZyWall USG60: VPN IKEv2 Connection using Windows 11?

devau2
devau2 Posts: 11  Freshman Member
First Comment Third Anniversary

Hello
I'm trying to connect to my LAN from outside, using a VPN IKEv2 connection as instructed here:

https://mysupport.zyxel.com/hc/en-us/articles/360005744000--ZyWALL-USG-How-to-set-up-a-Client-to-Site-VPN-Configuration-Payload-DHCP-connection-using-IKEv2
I think the security proposals there are obsolete, as Windows uses now other definitions. Has anyone tried this with success, and if yes, what parameters should used?

Error:

[SA] : Tunnel [IKEV2_Connection] Phase 1 proposal mismatch [count=3]

Accepted Solution

  • devau2
    devau2 Posts: 11  Freshman Member
    First Comment Third Anniversary
    Answer ✓

    Yes, all these parameters are OK. Now I've found a solution that's working for me: I installed a trial version of TheGreenBow VPN Client. They use AES-256,SHA-512,DH14 (much safer than old and outdated DH2 and SHA-1!). And guess what? It works perfectly! So I'm gonna using this client and forget the annoying one of Microsoft.
    End of story! Anyway thanks a lot for your help Peter!

All Replies

  • devau2
    devau2 Posts: 11  Freshman Member
    First Comment Third Anniversary

    Update: Using AES128 SHA256 instead of AES128 SHA1 seems to be the solution for Phase1 now beeing OK. Anyway I see not entries in the log for Phase2 (good or bad..?), still no connection gets established.

    490 2024-12-03 14:17:11 xxxxxxxxxxxx:43655 xxxxxxxxxxxxxxx:500
    info ike IKE_LOG
    The cookie pair is : 0xd8ce2f7b7c4c423a / 0x190dff86ffa05d3e [count=2]

    491 2024-12-03 14:17:11 xxxxxxxxxxxx:43655 xxxxxxxxxxxxxxx:500
    info ike IKE_LOG
    Receiving IKEv2 request

    492 2024-12-03 14:17:11 xxxxxxxxxxxx:43655 xxxxxxxxxxxxxxx:500
    info ike IKE_LOG
    [INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][VID][VID][VID][VID]

    493 2024-12-03 14:17:11 xxxxxxxxxxxx:43655 xxxxxxxxxxxxxxx:500
    info ike IKE_LOG
    Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [1] protocol = IKE (1), AES CBC key len = 256,
    HMAC-SHA1-96, HMAC-SHA1 PRF, 1024 bit MODP; [2] protocol = IKE (1), 3DES, HMAC-SHA256-128, HMAC-SHA256 PRF, 1024 bit M

    494 2024-12-03 14:17:11 xxxxxxxxxxxxxx:500 xxxxxxxxxxxxxx:43655
    info ike IKE_LOG
    The cookie pair is : 0x190dff86ffa05d3e / 0xd8ce2f7b7c4c423a [count=2]

    495 2024-12-03 14:17:11 xxxxxxxxxxxxxx:500 xxxxxxxxxxxxxx:43655
    info ike IKE_LOG
    [INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID]

    503 2024-12-03 14:17:43 xxxxxxxxxxxxxxx:500 xxxxxxxxxxxxxxx:43655
    info ike IKE_LOG
    IKE SA [IKEV2_Tunnel] is disconnected

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 3

    set Local Policy to 0.0.0.0

    what are your setting for Phase2?

    Do a packet capture for the IP your connecting from when you connect to the VPN you should see fragmented packets and check you get them on the remote end client side

    have policy allow from WAN to Zywall and IPSec_VPN to Zywall ports UDP 500, 4500, 1701 and protocol 50

    also windows 11 default is

    Phase 1 3DES/SHA1 DH2

    Phase 2 AES256/SHA1 PFS none

  • devau2
    devau2 Posts: 11  Freshman Member
    First Comment Third Anniversary
    edited December 3

    My configurations are as follows.

    VPN-Gateway-Settings:

    Name: IKEV2_Tunnel
    Interface: wan1
    Dynamic Address
    Authentication:
    Certificate
    Peer ID Type: Any
    **Phase1 Settings:
    SA Life Time:86400
    Proposal:
    1 3DES SHA1
    2 AES128 MD5
    3 AES128 SHA256
    Key Group: DH2
    Exxtended Auth:
    Server Mode
    AAA Method: default
    Allowed User: "vpn-users"

    VPN-Connection Settings:

    Name:IKEV2_Connection
    Gateway: Remote Access (Server Role)
    VPN Gateway: IKEV2_Tunnel
    Local Policy: 0.0.0.0
    Enable cfg payload:
    IP Addr Pool: IKEV2_Pool
    1st DNS: 4.2.2.1
    2nd DNS: 8.8.4.4
    Allow Traffic Through WAN Zone
    **Phase 2 Settings:
    SA Lifetime: 86400
    Active Protocol: ESP
    Encapsulation: Tunnel
    Proposal:
    1 3DES SHA1
    2 AES128 SHA256
    3 AES256 SHA1
    PFS: none
    Zone: IPSec_VPN

    Security Policy:

    "WAN to ZYWALL": anySrc, anyDest, Svc:VPN-Ports, any User
    VPN-Ports are: UDP500 (IKE),UDP4500 (NATT),UDP1701(L2TP-UTP),TCP 50 (ESP)

    "IPSEC_VPN to ZYWALL" :anySrc, anyDest, Svc:any, any User

    Using a Laptop with Windows 11. Its networks: Only 1 active connection to the internet by using a iPhone connected as hotspot.
    iPhone has only a connection over the air to the telephone service provider (no WLAN). So Laptop connects really from outside. Windows firewall is disabled.

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    ESP is not TCP or UDP

    Make a new certificate and test the VPN local to the USG

    Are you doing a self sign certificates by IP or Domain Name?

  • devau2
    devau2 Posts: 11  Freshman Member
    First Comment Third Anniversary

    I''ve made a certificate as shown in the article (link in post # 1). I've got another paid certificate, but it is a wildcard cert(*.company.com). *-certs can't be used in the parameter field "Certificate" in the Tunnel specs. So the self made cert has the name "www.company.com".
    ("company" is placeholder for real value). So this should not be the problem.

    >…test the VPN local to the USG

    If I connect the Laptop to the local LAN, and try to establish the VPN-connection then I get the following output (latest line at the top):

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 5

    you can't use a placeholder must be a real IP or domain name that points to the USG WAN IP that the client VPN uses to connect

  • devau2
    devau2 Posts: 11  Freshman Member
    First Comment Third Anniversary

    Forgot to mention that my company.com address is registered at DynU. So that's why the Laptop finds the way to the ZyWall's WAN port.

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 5

    Ok so that should be fine

    can you check the VPN setting
    Control Panel\Network and Internet\Network Connections
    in security tab that your using Microsoft secured password (EAP-MSCHAP v2)

    Make sure Phase 2 is just

    AES256/SHA1 PFS none

    do you have other IKEv2 tunnels setup?

  • devau2
    devau2 Posts: 11  Freshman Member
    First Comment Third Anniversary
    Answer ✓

    Yes, all these parameters are OK. Now I've found a solution that's working for me: I installed a trial version of TheGreenBow VPN Client. They use AES-256,SHA-512,DH14 (much safer than old and outdated DH2 and SHA-1!). And guess what? It works perfectly! So I'm gonna using this client and forget the annoying one of Microsoft.
    End of story! Anyway thanks a lot for your help Peter!

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 7

    Well MS VPN works for me and you can change Encryption Method

    Set-VpnConnectionIPsecConfiguration (VpnClient) | Microsoft Learn

Security Highlight