Solved

How configure a VPN with zyxel ipsec client and zywall 20 USG?

Posted on 2014-03-26
6
7,546 Views
Last Modified: 2014-04-07
Hello I have a zywall 20 USG and a XP with IPsec VPN client.

Somebody know if is possible to do it?

I haven't fixed ip (actually I use a dyndns name) and the zywall is behind an ADSL NAT router.

Thanks
0
Comment
Question by:limmontreefree
  • 3
  • 3
6 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 39958013
Hi,

You need to configure 3 things:
- Your ADSL Router.
- zywall 20 USG
- XP

ADSL Router:
- Make sure that you enapve IPSec Passtrough and setup your ADSL router passes the IPSec info directly to your zywall.

- zywall configure it according to the document here: zywall VPN Config

-configure XP IPSec here: XP IPSec setup

I think dynamic DNS issue must not be a problem provided:
- zywall has a dyndns entry.
- XP has a dyndns entry.
- Both entries are up-to-date using dyndns setup on zywall and dyndns applet in XP.
- zywall authentication type set as DNS and the field must include the dyndns entry of the client.

Cheers,
K.
0
 

Author Comment

by:limmontreefree
ID: 39958305
Thanks Kerem,

You are right, but the links are very old and generalist, the USG family has a lot different design and we are using the Zyxel IPsec VPN client, that is a proprietary VPN client.

May be we need a skill Zyxel expert.

Thank you very much

We actually up the VPN but in some seconds it goes down.

This is the log, in the VPN client
20140327 08:54:37:531 Default (SA VPNgateway-P1) SEND phase 1 Main Mode  [SA] [VID] [VID] [VID] [VID] [VID]
20140327 08:54:37:625 Default (SA VPNgateway-P1) RECV phase 1 Main Mode  [SA] [VID] [VID] [VID] [VID]
20140327 08:54:37:625 Default (SA VPNgateway-P1) SEND phase 1 Main Mode  [KEY_EXCH] [NONCE]
20140327 08:54:37:890 Default (SA VPNgateway-P1) RECV phase 1 Main Mode  [KEY_EXCH] [NONCE]
20140327 08:54:37:890 Default (SA VPNgateway-P1) SEND phase 1 Main Mode  [HASH] [ID] [NOTIFY]
20140327 08:54:38:046 Default (SA VPNgateway-P1) RECV phase 1 Main Mode  [HASH] [ID]
20140327 08:54:38:046 Default phase 1 done: initiator id 4.2.2.2, responder id 4.2.2.2
20140327 08:54:38:046 Default (SA VPNgateway-VPNtunel-P2) SEND phase 2 Quick Mode  [HASH] [SA] [NONCE] [ID] [ID]
20140327 08:54:38:140 Default (SA VPNgateway-VPNtunel-P2) RECV phase 2 Quick Mode  [HASH] [SA] [NONCE] [ID] [ID]
20140327 08:54:38:140 Default (SA VPNgateway-VPNtunel-P2) SEND phase 2 Quick Mode  [HASH]
20140327 08:55:07:140 Default (SA VPNgateway-P1) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20140327 08:55:07:218 Default (SA VPNgateway-P1) RECV Informational  [HASH] [NOTIFY] type DPD_R_U_THERE_ACK
20140327 08:55:24:328 Default (SA VPNgateway-P1) RECV Informational  [HASH] [DELETE]
20140327 08:55:24:328 Default <VPNgateway-VPNtunel-P2> deleted
20140327 08:55:24:343 Default (SA VPNgateway-P1) RECV Informational  [HASH] [DELETE]
20140327 08:55:24:343 Default (SA VPNgateway-P1) RECV Informational  [HASH] [DELETE]
20140327 08:55:26:515 Default (SA VPNgateway-P1) RECV Informational  [HASH] [DELETE]
20140327 08:55:26:515 Default <VPNgateway-P1> deleted
20140327 08:55:26:515 Default message_recv: invalid cookie(s) 822741f6d4712b57 57a88423020671d9
20140327 08:55:26:515 Default dropped message from 193.153.188.195 due to notification type INVALID_COOKIE
20140327 08:55:26:515 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20140327 08:55:26:515 Default message_recv: invalid cookie(s) 822741f6d4712b57 57a88423020671d9
20140327 08:55:26:515 Default dropped message from 193.153.188.195 due to notification type INVALID_COOKIE
20140327 08:55:26:515 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 39958734
It seems that you can not receive data after initial contact. It looks like NAT Traversal is failing. Are you sure you have enabled VPN pass-through over your ADSL router?

If there's not a setting over your router for IPSec VPN pass-through try  setting up your VPN server as DMZ server so that it receives each packet directly.

K.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:limmontreefree
ID: 39973498
Hello Kerem,

I have mapped all the ports in the router to the Zywall, I don't know what is a NAT tranversal.

Do you have some documentation?

Thanks.
0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
ID: 39983051
In fact this mapping could not be enough. As part of the IPSec authentication both an IP packets and UDP ports are used. This is why routers have "VPN PassThrough" fcility. Otherise you can not direct IP packets. All you can do is to direct TCP/UDP packets. If you don't have a setting like that (I believe you do) all you can do is defining DMS host. In this case your router will direct all TCP/IP communication to the defined server (in your case VPN server).

You told you've "mapped all ports" but this is not enough because of the IP packet requirement. All you can map is TCP or UDP ports. It has nothing to do with IP packet direction. This is why you'll need NAT traversal.

Did you check you router for "IPSEC PassThrough"? Did you try "DMZ host"?. Your previous post was kind of informative but this post says little about what you've tried.

Here's more information about IPSEc and NatTRAVERSAL:
http://en.wikipedia.org/wiki/IPsec
http://en.wikipedia.org/wiki/NAT_traversal

Please see the section IPsec traversal across NAT for through understanding.

Cheers,
K.
0
 

Author Closing Comment

by:limmontreefree
ID: 39984036
Thanks, now I understand, and now is working.

Very helpfull.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now