VPN between two ZyWall 2+ (Dynamic-to-Dynamic) - IKE Packet retransmit problem

Hello,
I would like to connect two offices using a VPN tunnel, but Ive some difficulties.

Here the configurations:

Site1:
------
- ADSL with dynamic IP from the Provider, registered at DynDNS.org to have the host name available (site1.dyndns.org).
- The ADSL router (Motorola) as the LAN side configured to act as DHCP server on the range 192.168.20.0/24
- A ZyWall 2+ is connected to this router and get the IP address from it.
  - In the DDNS settings on the ZyWall Ive the entry for site1.dyndns.org
  - FW is enabled
  - LAN is configured to be DHCP server to provide IP addresses to the PCs in the office (IP range 192.168.2.0/24)

VPN settings for Site1:
Gateway Policy Property Name:      CompanyNetwork

Gateway Policy Setting
  My ZyWALL:                  site1.dyndns.org
  RemoteGateway Address:      site2.dyndns.org

Network Policy Property
  Active:                  YES
  Name:                  Site1-To-Site2

Network Policy Setting
  Local Network
    Starting IP address:      192.168.2.1
    Subnet Mask:            255.255.255.0
   
    Remote Network:            192.168.1.1
    Subnet Mask:            255.255.255.0

IKE Tullel Setting (IKE Phase 1)
  Authentication for activating VPN
     Authentication By
     User Name
     Password
  Negotation Mode:            Main Mode
  Encryption Algorithm:            3DES
  Authentication Algorithm :      SHA1
  Key Group :                  DH2
  SA Life Time:                  28800 s
  Pre-Shared Key:            MySharedKey1

IPSec Setting (IKE Phase 2)
  Encapsulation Mode:            Tunnel Mode
  IPSec Protocol:            ESP
  Encryption Algorithm :      DES
  Authentication Algorithm :      SHA1
  SA Life Time:                  28800 s
  Perfect Forward Secrecy (PFS): None



Site2:
------
- ADSL with dynamic IP from the Provider, registered at DynDNS.org to have the host name available (site2.dyndns.org).
- The ADSL router (ZyXEL P600H-D3) as the LAN side configured to act as DHCP server on the range 192.168.10.0/24, FW disabled
- A ZyWall 2+ is connected to this router and get the IP address from it.
  - In the DDNS settings on the ZyWall Ive the entry for site2.dyndns.org
  - FW is enabled
  - LAN is configured to be DHCP server to provide IP addresses to the PCs in the office (IP range 192.168.1.0/24)

VPN settings for Site2:
Gateway Policy Property Name:      CompanyNetwork

Gateway Policy Setting
  My ZyWALL:                  site2.dyndns.org
  RemoteGateway Address:      site1.dyndns.org

Network Policy Property
  Active:                  YES
  Name:                  Site2-To-Site1

Network Policy Setting
  Local Network
    Starting IP address:      192.168.1.1
    Subnet Mask:            255.255.255.0
   
    Remote Network:            192.168.2.1
    Subnet Mask:            255.255.255.0

IKE Tullel Setting (IKE Phase 1)
  Authentication for activating VPN
     Authentication By
     User Name
     Password
  Negotation Mode:            Main Mode
  Encryption Algorithm:            3DES
  Authentication Algorithm :      SHA1
  Key Group :                  DH2
  SA Life Time:                  28800 s
  Pre-Shared Key:            MySharedKey1

IPSec Setting (IKE Phase 2)
  Encapsulation Mode:            Tunnel Mode
  IPSec Protocol:            ESP
  Encryption Algorithm :      DES
  Authentication Algorithm :      SHA1
  SA Life Time:                  28800 s
  Perfect Forward Secrecy (PFS): None

-----
When I test the connection, VPN tunnel is not established.
In the LOG of both ZyWall's I see that the DNS resolution of the 2 sites are OK,
but I've the error:     IKE Packet Retrasmit

I've try in different way to debug it but without success.

Do you have any idea what could be the problem?
How can I have a more detaield log for helping debugging?

Thank you for your help.
FP
fpifferiniAsked:
Who is Participating?
 
arnoldCommented:
First, did you configure the motorola and the zyxel ADSL to pass the UDP port 500/4500 to the Zywall port forwarding and setup the two to allow VPN passthrough?

Note remote network addresses must start at the network address i.e. a Class C /24 has to be 192.168.2.0 255.255.255.255. See if changing that resolves your issue.
Here is an alternate solution:
1) configure your ADSL routers in bridging mode. (record the PPPoE information since you would need to enter this information on the Zywall for the WAN configuration.
This way the zywall's will have a public IP on the WAN side.
2) The policies as you have them seem to match.

Currently You have:
Internet <=> ADSL Router NAT <=> Zywall NAT <=> LAN
What you will have after changing to Bridging mode:
Internet <=> ADSL Bridge <=> Zywall NAT <=> LAN

The WAN Port of the Zywall Will be the IP associated with sitex.dyndns.org
Do you have a computer on the LAN updating Dynamic DNS or is it a configuration on the ADLS/Zywall Routers? This too might need to be adjusted if the updates were from the ADSL routers.
0
 
fpifferiniAuthor Commented:
Thank you for the quick solution, in facts the problem was the ADSL router, that I had configured initially as router, changing it to act as a bridge, the VPN start to work.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.