Comments
-
I already use IKev2 for Clients with Active Directory Authentication on Apple iOS Devices with certificate auth in phase1. No problem with that using Apple configuration profile. But not with ZyXEL configuration provisioning. ZyWALL has no fix IP address on WAN interface, so FQDN is CNAME to a dyndns address.
-
try AES256, SHA1, PFS none for Phase2
-
is the ideas section really read by the developers? Is one of the ideas in this section already implemented in a past release?
-
;)
-
at least these proposals should work for L2TP with IOS and Win10:Phase 1: 3DES, SHA1, DH2Phase 2: AES256, SHA1, PFS none
-
your ZyWALL wan1 IP address is a private (RFC1918) address. Is the ZyWALL behind another router which is also doing NAT?
-
thank you
-
ok, if it helps :-)
-
Hi @Zyxel_Emily I know VTI, I set up a lot of VTI/IPSec, between ZyWALLs only, I use most of time VTI and OSPF for dynamic routing. I know the overhead of GRE (24bytes). But there are different restrictions where you can't use VTI (3.party firewalls without VTI or no VTI with dynamic IPs there, general antipathy for VTI at…
-
you can also create an additional secure-policy rule for this destination, denying and no log. So this traffic cannot hit the default rule.
-
I support this too
-
In my view the CISCO doc is absolutely right, DH14 is the absolut minimum at the moment, 19-21 would be recommended. German BSI gives the same advice.
-
@Mark:It's fine for me now.
-
thanks to @Mark. Can you publish your solution to disable the wizard on CLI here?
-
@ChristianG I checked in our myzyxel portal for this customer. Status is 'active' and last sign in date is the time I started the license refresh yesterday. At the moment the annoying wizard ist still there. This USG is on V4.30. Maybe I go to WK19 on this USG40. On another USG40 with WK19 I don't have the problem with the…