Zyxel firewall and vpn

at the remote end they say that the packets which send from our side are not encrypted. is there any problem med settings or internet line.

have sdsl 10Mb connection. sdsl modem is connected with firewall.


 

IKE Phase 1  3DES, SHA1 , Diffie-Hellman Group2(1024 bit) Renegotiate every 1440 Minutes

 

IKE Phase 2  3DES SHA1  , PFS Group2(1024 bit) Renegotiate IPSec security associations every 3600 seconds

2006-05-29 15:00:24 Rule [B2C Net] Tunnel built successfully 193.90.149.26 194.248.167.110 IKE
2  2006-05-29 15:00:24 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
3  2006-05-29 15:00:24 Send:[HASH] 193.90.149.26 194.248.167.110 IKE
4  2006-05-29 15:00:24 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
5  2006-05-29 15:00:24 Adjust TCP MSS to 1398 193.90.149.26 194.248.167.110 IKE
6  2006-05-29 15:00:23 Recv:[HASH][SA][NONCE][KE][ID][ID] 194.248.167.110 193.90.149.26 IKE
7  2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
8  2006-05-29 15:00:23 Rule[B2C] receives duplicate packet 194.248.167.110 193.90.149.26 IKE
9  2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
10  2006-05-29 15:00:23 Rule[B2C] receives duplicate packet 194.248.167.110 193.90.149.26 IKE
11  2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
12  2006-05-29 15:00:23 Send:[HASH][SA][NONCE][KE][ID][ID] 193.90.149.26 194.248.167.110 IKE
13  2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
14  2006-05-29 15:00:22 Phase 1 IKE SA process done 193.90.149.26 194.248.167.110 IKE
15  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
16  2006-05-29 15:00:22 Recv:[ID][HASH] 194.248.167.110 193.90.149.26 IKE
17  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
18  2006-05-29 15:00:22 Send:[ID][HASH][NOTFY:INIT_CONTACT]CE4CE811 193.90.149.26 194.248.167.110 IKE
19  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
20  2006-05-29 15:00:22 Recv:[KE][NONCE] 194.248.167.110 193.90.149.26 IKE
21  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
22  2006-05-29 15:00:22 Send:[KE][NONCE] 193.90.149.26 194.248.167.110 IKE
23  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
24  2006-05-29 15:00:22 Recv:[SA] 194.248.167.110 193.90.149.26 IKE
25  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
26  2006-05-29 15:00:22 Send:[SA][VID][VID] 193.90.149.26 194.248.167.110 IKE
27  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x0000000000000000 193.90.149.26 194.248.167.110 IKE
28  2006-05-29 15:00:22 Send Main Mode request to [194.248.167.110] 193.90.149.26 194.248.167.110 IKE
29  2006-05-29 15:00:22 Rule [B2C] Sending IKE request 193.90.149.26 194.248.167.110 IKE
30  2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x0000000000000000

If the packets are not encrypted then there is a problem with the VPN policy on the sending end. Far too many options to be guessing, based on information provided.
By the way, make sure both ends of the tunnel are using different subnets. Such as 192.168.1.x and 192.168.2.x  This would not affect the encryption but can cause; "i can connect with remote network but i am unable to access it"

Sorry I didn't see your last 2 comments before posting. Still, check the subnets.
As for above log, I don't see the problem. Are both sides configured identically with same 3DES, SHA-1 and PFS ?

both end r configured with same ipsec proposal.

   Local Network  

 Address Type   Single AddressRange AddressSubnet Address  
   Starting IP Address   .  .  .  
  Ending IP Address / Subnet Mask   .  .  .  
 Local Port  Start  End  

  Remote Network  
 
 Address Type   Single AddressRange AddressSubnet Address  
 Starting IP Address   .  .  .  
  Ending IP Address / Subnet Mask   .  .  .  
 Remote Port  Start  End  

how to configure these 2 settings

Phase 2

local 192.168.2.4 / 255.255.255.0
remote 194.248.167.88 / 255.255.255.255

is this ok

It is difficult to explain without seeing your configuration, as there are so many options. I cannot find a manual for the Zywall 4 but did find information for the model 5. Perhaps it is similar. VPN section starts on page 308 and screen shots on 325.
http://us.zyxel.com/web/download/200409091882822004121617415120040811211941_20051216_4.0XD_WZ_WM-ZyWALL5-35-70_UG_V4-0_2005-12-14.pdf

If connecting two sites you are better to choose an "address type" of subnet, rather than address range. For example if you have 2 sites:
Site 'A' local subnet 192.168.1.0
Site 'B' local subnet 192.168.2.0

Configure as follows:
Site 'A' router
Local Network
Address Type= Subnet
Starting IP Address=  192.168.1.0  (usually this would be 192.168.1.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0  (0 is the default =any)
Local Port End= 0

Remote Network  
Address Type= Subnet
Starting IP Address=  192.168.2.0  (usually this would be 192.168.2.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0  (0 is the default =any)
Local Port End= 0

Site 'B' router
Local Network
Address Type= Subnet
Starting IP Address=  192.168.2.0  (usually this would be 192.168.2.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0  (0 is the default =any)
Local Port End= 0  

Remote Network  
Address Type= Subnet
Starting IP Address=  192.168.1.0  (usually this would be 192.168.1.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0  (0 is the default =any)
Local Port End= 0  
 

>>"Phase 2
local 192.168.2.4 / 255.255.255.0
remote 194.248.167.88 / 255.255.255.255
is this ok"

Usually, except for gateway references, they are referring to the LAN addressing, not the WAN/public.

local net we use 192.168.2.0/24 og remote network they use 194.248.167.0/32 is it possible to use 255.255.255.255 subnetmask to any pc. i get this information from the remote administrator.

-Do you have 2 VPN routers, 1 at each site, or are you connecting a VPN software client to a VPN router?
If a single VPN client you could use 194.248.167.0/32 but not site to site. This is usually only done automatically with a virtual adapter.
However:
-Is this IP 194.248.167.0/32 the local network address? If so that could cause problems with your routing. Private networks should be part of one of the following:
192.168.0.0  - 192.168.255.255
10.0.0.0  -  10.255.255.255
172.16.0.0  -  172.31.255.255
The subnets 194.248.167.0 is considered public IP and should only be used for the WAN/public side of the network, and would be assigned by a service provider.  This particular subnet is owned by a Norwegian service provider. Would that be the case? If so I suspect that is the WAN not LAN subnet.

anuja_rex, did you resolve the issue? Was 194.248.167.0/32  the local network address and problem?
--Rob

Thanks anuja_rex,
--Rob

I didn't quite get the solution .... and are having similar problems

Zywall 5 UTM - Sonicwall TZ 170 Standard

I used to hae a VPN connection up and running, but after upgrading the firmware on the Zywall 5 all vpn's on that doesn't work any more.