anuja_rex
asked on
Zyxel firewall and vpn
i have zyxel zywall 4 firewall. i configrerd vpn connection with remote network. i can connect with remote network but i am unable to access it. i tried to ping with remote ruter but i get request timeout. how to solve this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
have sdsl 10Mb connection. sdsl modem is connected with firewall.
IKE Phase 1 3DES, SHA1 , Diffie-Hellman Group2(1024 bit) Renegotiate every 1440 Minutes
IKE Phase 2 3DES SHA1 , PFS Group2(1024 bit) Renegotiate IPSec security associations every 3600 seconds
IKE Phase 1 3DES, SHA1 , Diffie-Hellman Group2(1024 bit) Renegotiate every 1440 Minutes
IKE Phase 2 3DES SHA1 , PFS Group2(1024 bit) Renegotiate IPSec security associations every 3600 seconds
ASKER
2006-05-29 15:00:24 Rule [B2C Net] Tunnel built successfully 193.90.149.26 194.248.167.110 IKE
2 2006-05-29 15:00:24 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
3 2006-05-29 15:00:24 Send:[HASH] 193.90.149.26 194.248.167.110 IKE
4 2006-05-29 15:00:24 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
5 2006-05-29 15:00:24 Adjust TCP MSS to 1398 193.90.149.26 194.248.167.110 IKE
6 2006-05-29 15:00:23 Recv:[HASH][SA][NONCE][KE] [ID][ID] 194.248.167.110 193.90.149.26 IKE
7 2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
8 2006-05-29 15:00:23 Rule[B2C] receives duplicate packet 194.248.167.110 193.90.149.26 IKE
9 2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
10 2006-05-29 15:00:23 Rule[B2C] receives duplicate packet 194.248.167.110 193.90.149.26 IKE
11 2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
12 2006-05-29 15:00:23 Send:[HASH][SA][NONCE][KE] [ID][ID] 193.90.149.26 194.248.167.110 IKE
13 2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
14 2006-05-29 15:00:22 Phase 1 IKE SA process done 193.90.149.26 194.248.167.110 IKE
15 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
16 2006-05-29 15:00:22 Recv:[ID][HASH] 194.248.167.110 193.90.149.26 IKE
17 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
18 2006-05-29 15:00:22 Send:[ID][HASH][NOTFY:INIT _CONTACT]C E4CE811 193.90.149.26 194.248.167.110 IKE
19 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
20 2006-05-29 15:00:22 Recv:[KE][NONCE] 194.248.167.110 193.90.149.26 IKE
21 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
22 2006-05-29 15:00:22 Send:[KE][NONCE] 193.90.149.26 194.248.167.110 IKE
23 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
24 2006-05-29 15:00:22 Recv:[SA] 194.248.167.110 193.90.149.26 IKE
25 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
26 2006-05-29 15:00:22 Send:[SA][VID][VID] 193.90.149.26 194.248.167.110 IKE
27 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x0000000000000000 193.90.149.26 194.248.167.110 IKE
28 2006-05-29 15:00:22 Send Main Mode request to [194.248.167.110] 193.90.149.26 194.248.167.110 IKE
29 2006-05-29 15:00:22 Rule [B2C] Sending IKE request 193.90.149.26 194.248.167.110 IKE
30 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x0000000000000000
2 2006-05-29 15:00:24 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
3 2006-05-29 15:00:24 Send:[HASH] 193.90.149.26 194.248.167.110 IKE
4 2006-05-29 15:00:24 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
5 2006-05-29 15:00:24 Adjust TCP MSS to 1398 193.90.149.26 194.248.167.110 IKE
6 2006-05-29 15:00:23 Recv:[HASH][SA][NONCE][KE]
7 2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
8 2006-05-29 15:00:23 Rule[B2C] receives duplicate packet 194.248.167.110 193.90.149.26 IKE
9 2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
10 2006-05-29 15:00:23 Rule[B2C] receives duplicate packet 194.248.167.110 193.90.149.26 IKE
11 2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
12 2006-05-29 15:00:23 Send:[HASH][SA][NONCE][KE]
13 2006-05-29 15:00:23 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
14 2006-05-29 15:00:22 Phase 1 IKE SA process done 193.90.149.26 194.248.167.110 IKE
15 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
16 2006-05-29 15:00:22 Recv:[ID][HASH] 194.248.167.110 193.90.149.26 IKE
17 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
18 2006-05-29 15:00:22 Send:[ID][HASH][NOTFY:INIT
19 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
20 2006-05-29 15:00:22 Recv:[KE][NONCE] 194.248.167.110 193.90.149.26 IKE
21 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
22 2006-05-29 15:00:22 Send:[KE][NONCE] 193.90.149.26 194.248.167.110 IKE
23 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 193.90.149.26 194.248.167.110 IKE
24 2006-05-29 15:00:22 Recv:[SA] 194.248.167.110 193.90.149.26 IKE
25 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x3705AA4ACE4CE811 194.248.167.110 193.90.149.26 IKE
26 2006-05-29 15:00:22 Send:[SA][VID][VID] 193.90.149.26 194.248.167.110 IKE
27 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x0000000000000000 193.90.149.26 194.248.167.110 IKE
28 2006-05-29 15:00:22 Send Main Mode request to [194.248.167.110] 193.90.149.26 194.248.167.110 IKE
29 2006-05-29 15:00:22 Rule [B2C] Sending IKE request 193.90.149.26 194.248.167.110 IKE
30 2006-05-29 15:00:22 The cookie pair is : 0x219470E933E94233 / 0x0000000000000000
If the packets are not encrypted then there is a problem with the VPN policy on the sending end. Far too many options to be guessing, based on information provided.
By the way, make sure both ends of the tunnel are using different subnets. Such as 192.168.1.x and 192.168.2.x This would not affect the encryption but can cause; "i can connect with remote network but i am unable to access it"
By the way, make sure both ends of the tunnel are using different subnets. Such as 192.168.1.x and 192.168.2.x This would not affect the encryption but can cause; "i can connect with remote network but i am unable to access it"
Sorry I didn't see your last 2 comments before posting. Still, check the subnets.
As for above log, I don't see the problem. Are both sides configured identically with same 3DES, SHA-1 and PFS ?
As for above log, I don't see the problem. Are both sides configured identically with same 3DES, SHA-1 and PFS ?
ASKER
both end r configured with same ipsec proposal.
Local Network
Address Type Single AddressRange AddressSubnet Address
Starting IP Address . . .
Ending IP Address / Subnet Mask . . .
Local Port Start End
Remote Network
Address Type Single AddressRange AddressSubnet Address
Starting IP Address . . .
Ending IP Address / Subnet Mask . . .
Remote Port Start End
how to configure these 2 settings
Local Network
Address Type Single AddressRange AddressSubnet Address
Starting IP Address . . .
Ending IP Address / Subnet Mask . . .
Local Port Start End
Remote Network
Address Type Single AddressRange AddressSubnet Address
Starting IP Address . . .
Ending IP Address / Subnet Mask . . .
Remote Port Start End
how to configure these 2 settings
ASKER
Phase 2
local 192.168.2.4 / 255.255.255.0
remote 194.248.167.88 / 255.255.255.255
is this ok
local 192.168.2.4 / 255.255.255.0
remote 194.248.167.88 / 255.255.255.255
is this ok
It is difficult to explain without seeing your configuration, as there are so many options. I cannot find a manual for the Zywall 4 but did find information for the model 5. Perhaps it is similar. VPN section starts on page 308 and screen shots on 325.
http://us.zyxel.com/web/download/200409091882822004121617415120040811211941_20051216_4.0XD_WZ_WM-ZyWALL5-35-70_UG_V4-0_2005-12-14.pdf
If connecting two sites you are better to choose an "address type" of subnet, rather than address range. For example if you have 2 sites:
Site 'A' local subnet 192.168.1.0
Site 'B' local subnet 192.168.2.0
Configure as follows:
Site 'A' router
Local Network
Address Type= Subnet
Starting IP Address= 192.168.1.0 (usually this would be 192.168.1.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0 (0 is the default =any)
Local Port End= 0
Remote Network
Address Type= Subnet
Starting IP Address= 192.168.2.0 (usually this would be 192.168.2.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0 (0 is the default =any)
Local Port End= 0
Site 'B' router
Local Network
Address Type= Subnet
Starting IP Address= 192.168.2.0 (usually this would be 192.168.2.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0 (0 is the default =any)
Local Port End= 0
Remote Network
Address Type= Subnet
Starting IP Address= 192.168.1.0 (usually this would be 192.168.1.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0 (0 is the default =any)
Local Port End= 0
http://us.zyxel.com/web/download/200409091882822004121617415120040811211941_20051216_4.0XD_WZ_WM-ZyWALL5-35-70_UG_V4-0_2005-12-14.pdf
If connecting two sites you are better to choose an "address type" of subnet, rather than address range. For example if you have 2 sites:
Site 'A' local subnet 192.168.1.0
Site 'B' local subnet 192.168.2.0
Configure as follows:
Site 'A' router
Local Network
Address Type= Subnet
Starting IP Address= 192.168.1.0 (usually this would be 192.168.1.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0 (0 is the default =any)
Local Port End= 0
Remote Network
Address Type= Subnet
Starting IP Address= 192.168.2.0 (usually this would be 192.168.2.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0 (0 is the default =any)
Local Port End= 0
Site 'B' router
Local Network
Address Type= Subnet
Starting IP Address= 192.168.2.0 (usually this would be 192.168.2.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0 (0 is the default =any)
Local Port End= 0
Remote Network
Address Type= Subnet
Starting IP Address= 192.168.1.0 (usually this would be 192.168.1.0 however the manual suggests using an existing IP on that subnet)
Ending IP Address / Subnet Mask= 255.255.255.0
Local Port Start= 0 (0 is the default =any)
Local Port End= 0
>>"Phase 2
local 192.168.2.4 / 255.255.255.0
remote 194.248.167.88 / 255.255.255.255
is this ok"
Usually, except for gateway references, they are referring to the LAN addressing, not the WAN/public.
local 192.168.2.4 / 255.255.255.0
remote 194.248.167.88 / 255.255.255.255
is this ok"
Usually, except for gateway references, they are referring to the LAN addressing, not the WAN/public.
ASKER
local net we use 192.168.2.0/24 og remote network they use 194.248.167.0/32 is it possible to use 255.255.255.255 subnetmask to any pc. i get this information from the remote administrator.
-Do you have 2 VPN routers, 1 at each site, or are you connecting a VPN software client to a VPN router?
If a single VPN client you could use 194.248.167.0/32 but not site to site. This is usually only done automatically with a virtual adapter.
However:
-Is this IP 194.248.167.0/32 the local network address? If so that could cause problems with your routing. Private networks should be part of one of the following:
192.168.0.0 - 192.168.255.255
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
The subnets 194.248.167.0 is considered public IP and should only be used for the WAN/public side of the network, and would be assigned by a service provider. This particular subnet is owned by a Norwegian service provider. Would that be the case? If so I suspect that is the WAN not LAN subnet.
If a single VPN client you could use 194.248.167.0/32 but not site to site. This is usually only done automatically with a virtual adapter.
However:
-Is this IP 194.248.167.0/32 the local network address? If so that could cause problems with your routing. Private networks should be part of one of the following:
192.168.0.0 - 192.168.255.255
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
The subnets 194.248.167.0 is considered public IP and should only be used for the WAN/public side of the network, and would be assigned by a service provider. This particular subnet is owned by a Norwegian service provider. Would that be the case? If so I suspect that is the WAN not LAN subnet.
anuja_rex, did you resolve the issue? Was 194.248.167.0/32 the local network address and problem?
--Rob
--Rob
Thanks anuja_rex,
--Rob
--Rob
I didn't quite get the solution .... and are having similar problems
Zywall 5 UTM - Sonicwall TZ 170 Standard
I used to hae a VPN connection up and running, but after upgrading the firmware on the Zywall 5 all vpn's on that doesn't work any more.
Zywall 5 UTM - Sonicwall TZ 170 Standard
I used to hae a VPN connection up and running, but after upgrading the firmware on the Zywall 5 all vpn's on that doesn't work any more.
ASKER