VPN100 IPSec VPN Issue

Scotti
Scotti Posts: 7  Freshman Member
First Comment Second Anniversary
in Security

I have a Zyxel VPN100 and trying to get an IPSec VPN tunnel established with another device on another network

It gets through phase 1 and phase2 and says the tunnel is built successfully. But then it always says IKE SA is disconnected and the tunnel collapses

The VPN100 is behind another router that is not in bridge mode but specifies the VPN100 as the DMZ device that all traffic is forwarded to

I'd like to try and avoid putting the other router in bridged mode if possible

Is there some way to make this work?

All Replies

  • PeterUK
    PeterUK Posts: 3,736  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    This would seem to indicate that UDP port 500 is fine but UDP port 4500 is being blocked maybe by your ISP or router

  • Scotti
    Scotti Posts: 7  Freshman Member
    First Comment Second Anniversary
    image.png

    OK, but it's showing built successfully on port 4500. The Zyxel is the 10.10.1.4 address. And the router in front of that has DMZ mode set to 10.10.1.4 which should forward all traffic. Does something additional need to be done?

  • PeterUK
    PeterUK Posts: 3,736  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 21

    The Logging of port 4500 is incorrect you need to confirm by packet capture that two traffic is happening for port 4500.

    Is this by Pre-Shared Key or Certificate? try by Pre-Shared Key as it might be that Fragments are being blocked

  • Zyxel_James
    Zyxel_James Posts: 680  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    I wonder whether the front router forwards the VPN packets completely to VPN100. Please capture two packet sections, the WAN interface of VPN100 and the DMZ traffic from front router.
    Moreover, is it the remote peer site also Zyxel Firewall? if so, could you also provide the log or packet?

  • Scotti
    Scotti Posts: 7  Freshman Member
    First Comment Second Anniversary

    Can I capture the traffic with the standard Zyxel logs or I need to use Wireshark or something? The other router is not a Zyxel, but I will see what I can capture

    Does anything else special need to be setup in the VPN configuration when it's behind another router like that? Or you just need to make sure all the traffic is passed completely from the front router?

  • PeterUK
    PeterUK Posts: 3,736  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 21

    In maintenance » Diagnostics > there is a Packet capture.

    the Zyxel will do outbound allow for VPN so the only rule you need is inbound WAN to Zywall services ESP, IKE, L2TP, NATT

    if your using a Certificate both ends need to allow UDP Fragments 

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)