?
Solved

Zyxel firewall and vpn

Posted on 2006-05-23
15
Medium Priority
?
4,855 Views
Last Modified: 2009-02-10
i have zyxel zywall 4 firewall. i configrerd vpn connection with remote network. i can connect with remote network but i am unable to access it. i tried to ping with remote ruter but i get request timeout. how to solve this.
0
Comment
Question by:anuja_rex
  • 8
  • 6
15 Comments
 
LVL 78

Accepted Solution

by:
Rob Williams earned 1280 total points
ID: 16742199
I am afraid there is not enough information to diagnose the problem. Could you supply a little more information?
How is the VPN constructed. Is this a software client to the Zyxel , a hardware to hardware (site to site) VPN, or are you using the Windows VPN behind the Zyxel?
I couldn't find an online manual for the model 4. Do you know where I might find one to assist, or is it similar to the model 5?
Thanks.
0
 

Author Comment

by:anuja_rex
ID: 16783876
at the remote end they say that the packets which send from our side are not encrypted. is there any problem med settings or internet line.
0
 

Author Comment

by:anuja_rex
ID: 16783885
have sdsl 10Mb connection. sdsl modem is connected with firewall.


 

IKE Phase 1  3DES, SHA1 , Diffie-Hellman Group2(1024 bit) Renegotiate every 1440 Minutes

 

IKE Phase 2  3DES SHA1  , PFS Group2(1024 bit) Renegotiate IPSec security associations every 3600 seconds
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:anuja_rex
ID: 16783895
2006-05-29 15:00:24 Rule [B2C Net] Tunnel built successfully 193.90.149.26 194.248.167.110 IKE
2  2006-05-29 15:00:24 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
3  2006-05-29 15:00:24 Send:[HASH] 193.90.149.26 194.248.167.110 IKE
4  2006-05-29 15:00:24 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
5  2006-05-29 15:00:24 Adjust TCP MSS to 1398 193.90.149.26 194.248.167.110 IKE
6  2006-05-29 15:00:23 Recv:[HASH][SA][NONCE][KE][ID][ID] 194.248.167.110 193.90.149.26 IKE
7  2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
8  2006-05-29 15:00:23 Rule[B2C] receives duplicate packet 194.248.167.110 193.90.149.26 IKE
9  2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
10  2006-05-29 15:00:23 Rule[B2C] receives duplicate packet 194.248.167.110 193.90.149.26 IKE
11  2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
12  2006-05-29 15:00:23 Send:[HASH][SA][NONCE][KE][ID][ID] 193.90.149.26 194.248.167.110 IKE
13  2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
14  2006-05-29 15:00:22 Phase 1 IKE SA process done 193.90.149.26 194.248.167.110 IKE
15  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
16  2006-05-29 15:00:22 Recv:[ID][HASH] 194.248.167.110 193.90.149.26 IKE
17  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
18  2006-05-29 15:00:22 Send:[ID][HASH][NOTFY:INIT_CONTACT]CE4CE811 193.90.149.26 194.248.167.110 IKE
19  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
20  2006-05-29 15:00:22 Recv:[KE][NONCE] 194.248.167.110 193.90.149.26 IKE
21  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
22  2006-05-29 15:00:22 Send:[KE][NONCE] 193.90.149.26 194.248.167.110 IKE
23  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
24  2006-05-29 15:00:22 Recv:[SA] 194.248.167.110 193.90.149.26 IKE
25  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
26  2006-05-29 15:00:22 Send:[SA][VID][VID] 193.90.149.26 194.248.167.110 IKE
27  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x0000000000000000 193.90.149.26 194.248.167.110 IKE
28  2006-05-29 15:00:22 Send Main Mode request to [194.248.167.110] 193.90.149.26 194.248.167.110 IKE
29  2006-05-29 15:00:22 Rule [B2C] Sending IKE request 193.90.149.26 194.248.167.110 IKE
30  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x0000000000000000
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16783907
If the packets are not encrypted then there is a problem with the VPN policy on the sending end. Far too many options to be guessing, based on information provided.
By the way, make sure both ends of the tunnel are using different subnets. Such as 192.168.1.x and 192.168.2.x  This would not affect the encryption but can cause; "i can connect with remote network but i am unable to access it"
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16783963
Sorry I didn't see your last 2 comments before posting. Still, check the subnets.
As for above log, I don't see the problem. Are both sides configured identically with same 3DES, SHA-1 and PFS ?
0
 

Author Comment

by:anuja_rex
ID: 16784517
both end r configured with same ipsec proposal.

   Local Network  

 Address Type   Single AddressRange AddressSubnet Address  
   Starting IP Address   .  .  .  
  Ending IP Address / Subnet Mask   .  .  .  
 Local Port  Start  End  

  Remote Network  
 
 Address Type   Single AddressRange AddressSubnet Address  
 Starting IP Address   .  .  .  
  Ending IP Address / Subnet Mask   .  .  .  
 Remote Port  Start  End  

how to configure these 2 settings
0
 

Author Comment

by:anuja_rex
ID: 16784645
Phase 2

local 192.168.2.4 / 255.255.255.0
remote 194.248.167.88 / 255.255.255.255

is this ok
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16784671
It is difficult to explain without seeing your configuration, as there are so many options. I cannot find a manual for the Zywall 4 but did find information for the model 5. Perhaps it is similar. VPN section starts on page 308 and screen shots on 325.
http://us.zyxel.com/web/download/200409091882822004121617415120040811211941_20051216_4.0XD_WZ_WM-ZyWALL5-35-70_UG_V4-0_2005-12-14.pdf

If connecting two sites you are better to choose an "address type" of subnet, rather than address range. For example if you have 2 sites:
Site 'A' local subnet 192.168.1.0
Site 'B' local subnet 192.168.2.0

Configure as follows:
Site 'A' router
Local Network
Address Type= Subnet
Starting IP Address=  192.168.1.0  (usually this would be 192.168.1.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0  (0 is the default =any)
Local Port End= 0

Remote Network  
Address Type= Subnet
Starting IP Address=  192.168.2.0  (usually this would be 192.168.2.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0  (0 is the default =any)
Local Port End= 0

Site 'B' router
Local Network
Address Type= Subnet
Starting IP Address=  192.168.2.0  (usually this would be 192.168.2.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0  (0 is the default =any)
Local Port End= 0  

Remote Network  
Address Type= Subnet
Starting IP Address=  192.168.1.0  (usually this would be 192.168.1.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0  (0 is the default =any)
Local Port End= 0  
 
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16784688
>>"Phase 2
local 192.168.2.4 / 255.255.255.0
remote 194.248.167.88 / 255.255.255.255
is this ok"

Usually, except for gateway references, they are referring to the LAN addressing, not the WAN/public.
0
 

Author Comment

by:anuja_rex
ID: 16784827
local net we use 192.168.2.0/24 og remote network they use 194.248.167.0/32 is it possible to use 255.255.255.255 subnetmask to any pc. i get this information from the remote administrator.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16784884
-Do you have 2 VPN routers, 1 at each site, or are you connecting a VPN software client to a VPN router?
If a single VPN client you could use 194.248.167.0/32 but not site to site. This is usually only done automatically with a virtual adapter.
However:
-Is this IP 194.248.167.0/32 the local network address? If so that could cause problems with your routing. Private networks should be part of one of the following:
192.168.0.0  - 192.168.255.255
10.0.0.0  -  10.255.255.255
172.16.0.0  -  172.31.255.255
The subnets 194.248.167.0 is considered public IP and should only be used for the WAN/public side of the network, and would be assigned by a service provider.  This particular subnet is owned by a Norwegian service provider. Would that be the case? If so I suspect that is the WAN not LAN subnet.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16980608
anuja_rex, did you resolve the issue? Was 194.248.167.0/32  the local network address and problem?
--Rob
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 17184962
Thanks anuja_rex,
--Rob
0
 

Expert Comment

by:Drabant
ID: 23603305
I didn't quite get the solution .... and are having similar problems

Zywall 5 UTM - Sonicwall TZ 170 Standard

I used to hae a VPN connection up and running, but after upgrading the firmware on the Zywall 5 all vpn's on that doesn't work any more.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question