[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN between two ZyWall 2+ (Dynamic-to-Dynamic)  -  IKE Packet retransmit problem

Posted on 2009-04-29
2
Medium Priority
?
6,173 Views
Last Modified: 2012-05-06
Hello,
I would like to connect two offices using a VPN tunnel, but Ive some difficulties.

Here the configurations:

Site1:
------
- ADSL with dynamic IP from the Provider, registered at DynDNS.org to have the host name available (site1.dyndns.org).
- The ADSL router (Motorola) as the LAN side configured to act as DHCP server on the range 192.168.20.0/24
- A ZyWall 2+ is connected to this router and get the IP address from it.
  - In the DDNS settings on the ZyWall Ive the entry for site1.dyndns.org
  - FW is enabled
  - LAN is configured to be DHCP server to provide IP addresses to the PCs in the office (IP range 192.168.2.0/24)

VPN settings for Site1:
Gateway Policy Property Name:      CompanyNetwork

Gateway Policy Setting
  My ZyWALL:                  site1.dyndns.org
  RemoteGateway Address:      site2.dyndns.org

Network Policy Property
  Active:                  YES
  Name:                  Site1-To-Site2

Network Policy Setting
  Local Network
    Starting IP address:      192.168.2.1
    Subnet Mask:            255.255.255.0
   
    Remote Network:            192.168.1.1
    Subnet Mask:            255.255.255.0

IKE Tullel Setting (IKE Phase 1)
  Authentication for activating VPN
     Authentication By
     User Name
     Password
  Negotation Mode:            Main Mode
  Encryption Algorithm:            3DES
  Authentication Algorithm :      SHA1
  Key Group :                  DH2
  SA Life Time:                  28800 s
  Pre-Shared Key:            MySharedKey1

IPSec Setting (IKE Phase 2)
  Encapsulation Mode:            Tunnel Mode
  IPSec Protocol:            ESP
  Encryption Algorithm :      DES
  Authentication Algorithm :      SHA1
  SA Life Time:                  28800 s
  Perfect Forward Secrecy (PFS): None



Site2:
------
- ADSL with dynamic IP from the Provider, registered at DynDNS.org to have the host name available (site2.dyndns.org).
- The ADSL router (ZyXEL P600H-D3) as the LAN side configured to act as DHCP server on the range 192.168.10.0/24, FW disabled
- A ZyWall 2+ is connected to this router and get the IP address from it.
  - In the DDNS settings on the ZyWall Ive the entry for site2.dyndns.org
  - FW is enabled
  - LAN is configured to be DHCP server to provide IP addresses to the PCs in the office (IP range 192.168.1.0/24)

VPN settings for Site2:
Gateway Policy Property Name:      CompanyNetwork

Gateway Policy Setting
  My ZyWALL:                  site2.dyndns.org
  RemoteGateway Address:      site1.dyndns.org

Network Policy Property
  Active:                  YES
  Name:                  Site2-To-Site1

Network Policy Setting
  Local Network
    Starting IP address:      192.168.1.1
    Subnet Mask:            255.255.255.0
   
    Remote Network:            192.168.2.1
    Subnet Mask:            255.255.255.0

IKE Tullel Setting (IKE Phase 1)
  Authentication for activating VPN
     Authentication By
     User Name
     Password
  Negotation Mode:            Main Mode
  Encryption Algorithm:            3DES
  Authentication Algorithm :      SHA1
  Key Group :                  DH2
  SA Life Time:                  28800 s
  Pre-Shared Key:            MySharedKey1

IPSec Setting (IKE Phase 2)
  Encapsulation Mode:            Tunnel Mode
  IPSec Protocol:            ESP
  Encryption Algorithm :      DES
  Authentication Algorithm :      SHA1
  SA Life Time:                  28800 s
  Perfect Forward Secrecy (PFS): None

-----
When I test the connection, VPN tunnel is not established.
In the LOG of both ZyWall's I see that the DNS resolution of the 2 sites are OK,
but I've the error:     IKE Packet Retrasmit

I've try in different way to debug it but without success.

Do you have any idea what could be the problem?
How can I have a more detaield log for helping debugging?

Thank you for your help.
FP
0
Comment
Question by:fpifferini
2 Comments
 
LVL 81

Accepted Solution

by:
arnold earned 2000 total points
ID: 24273777
First, did you configure the motorola and the zyxel ADSL to pass the UDP port 500/4500 to the Zywall port forwarding and setup the two to allow VPN passthrough?

Note remote network addresses must start at the network address i.e. a Class C /24 has to be 192.168.2.0 255.255.255.255. See if changing that resolves your issue.
Here is an alternate solution:
1) configure your ADSL routers in bridging mode. (record the PPPoE information since you would need to enter this information on the Zywall for the WAN configuration.
This way the zywall's will have a public IP on the WAN side.
2) The policies as you have them seem to match.

Currently You have:
Internet <=> ADSL Router NAT <=> Zywall NAT <=> LAN
What you will have after changing to Bridging mode:
Internet <=> ADSL Bridge <=> Zywall NAT <=> LAN

The WAN Port of the Zywall Will be the IP associated with sitex.dyndns.org
Do you have a computer on the LAN updating Dynamic DNS or is it a configuration on the ADLS/Zywall Routers? This too might need to be adjusted if the updates were from the ADSL routers.
0
 

Author Closing Comment

by:fpifferini
ID: 31576307
Thank you for the quick solution, in facts the problem was the ADSL router, that I had configured initially as router, changing it to act as a bridge, the VPN start to work.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month18 days, 19 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question