IPSec VPN problem on USG Flex 700h with two remote sites

had_a · December 2

Hi! I have tried to trace a problem why two remote sites can't connect to 700h at the same time. I have on "VPN/IPSec VPN/Site to Site VPN" -page two different profiles for these remote sites. 700h has static WAN ip and remote sites has a dynamic WAN ip's. Both remote sites will work just fine but only one at the time. I found this:

By first Pre-Shared keys for remote sites was a different and phase 1 & 2 proposals was a same.
With this setup only first connected remote site went up and another stayed down
In a log was a this message: "invalid ID_V1 payload length, decryption failed. possibly because of different pre-shared keys [count=5]"
That was a weird message because every parameter was a correct and same on both sides on non working vpn connection.
I changed by first Phase 1 proposal encryption and authentication to different one both on non working remote site and 700h. Then I got this messages: "
received proposals: IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048", configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048".
For some unknown reason 700h didn't take correct changed downgraded proposal values from setup and still used old ones with better security. I didn't check if these came from other site working profile or other site non working profile which I was debugging. However I tried quite much anything also rebooting 700h but configured proposals stayed same - what ever I put in 700h non working IPSec VPN profile.
Then I tried also to put same pre-shared key for authentication which was used on working site (to both 700h and non working remote site) - and after that non working remote site fired up immediately.
Verdict was that I had to use exactly same pre-shared keys and proposals with both sites to get things working. Previously used older Flex 700 worked just fine with different values with remote sites.

So what I'm doing here a wrong or does this newest FW has some issue?

Zyxel_Melen · December 2

Hi @had_a

I assume you set two VPN configurations for two different sites, and both VPN configurations are response only on USG FLEX H. This issue is because both VPN configurations are using the same phase 1 proposal. Please change the phase 1 proposal on one firewall, then you can use different pre-share key to connect the VPN.

For example, site 1 uses AES128/SHA1 in phase 1, site 2 uses AES192/SHA1 in phase 1.

had_a · December 2

I indeed tried this on (5). I down graded proposals down on non working profile with unique pre-shared key. Remote site took this account (received proposals to Flex 700h) but Flex 700h still tried to handshake with old 256bit/dh14 (configured proposals). If I take a look to non working profile on Flex 700h there are not even single 256bit/dh14 proposal there.

Also I don't understand why proposals has to be different - is this a bug to be fixed on fw? It's very essential to have maximum security on every IPSec VPN connections and this worked fine with older Flex 700. Why this isn't working anymore?