Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 603 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PSK Net2Net: ASLv5-Internet-NAT(dev)-Zywall2(VPN)

Michael Jenner
I have found a guide on how to set up Net2Net tunnel between ASL and Zywall2 VPN gateway in www.astaro.com/kb. However I have a NAT router between the Zywall and the ISP and cannot get the VPN tunnel to work. 

I have found out that the NAT router supports IPsec passthrough.

Problem seems to be that it isn't possible to define peer ID different from remote gateway IP on ASLv5 when using PSK.

In what order is VPN traffic and packet-filtering/NAT handeled on ASL? Maybe it's possible to fix problem with additional NAT functions, or traffic routing?

Thanks,
Michael


This thread was automatically locked due to age.
  • 0
    A follow up. I have tried enabling and disabling the NAT-T option on the Zywall2 box with the following results in the Astaro v5 log:

    Astaro v5 log - With NAT-T disabled:

     "S_pdzywall1_0" 1.2.3.4 #62427: responding to Main Mode
     "S_pdzywall1_0" 1.2.3.4 #62427: transition from state (null) to state STATE_MAIN_R1
     "S_pdzywall1_0" 1.2.3.4 #62427: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
     "S_pdzywall1_0" 1.2.3.4 #62427: ignoring informational payload, type IPSEC_INITIAL_CONTACT
     "S_pdzywall1_0" 1.2.3.4 #62427: Main mode peer ID is ID_IPV4_ADDR: '192.168.3.30'
     "S_pdzywall1_0" 1.2.3.4 #62427: no suitable connection for peer '192.168.3.30'
     "S_pdzywall1_0" 1.2.3.4 #62427: sending notification INVALID_ID_INFORMATION to 1.2.3.4:500
     "S_pdzywall1_0" 1.2.3.4 #62427: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA

    Astaro v5 log - With NAT-T enabled:

     "S_pdzywall1_0" 1.2.3.4 #62464: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
     "S_pdzywall1_0" 1.2.3.4 #62465: responding to Main Mode
     "S_pdzywall1_0" 1.2.3.4 #62465: transition from state (null) to state STATE_MAIN_R1
     "S_pdzywall1_0" 1.2.3.4 #62465: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00/01: peer is NATed
     "S_pdzywall1_0" 1.2.3.4 #62465: Warning: peer is NATed but source port is still udp/500. Ipsec-passthrough NAT device suspected -- NAT-T may not work.
     "S_pdzywall1_0" 1.2.3.4 #62465: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
     "S_pdzywall1_0" 1.2.3.4 #62465: ignoring informational payload, type IPSEC_INITIAL_CONTACT
     "S_pdzywall1_0" 1.2.3.4 #62465: Main mode peer ID is ID_IPV4_ADDR: '192.168.3.30'
     "S_pdzywall1_0" 1.2.3.4 #62465: no suitable connection for peer '192.168.3.30'
     "S_pdzywall1_0" 1.2.3.4 #62465: sending notification INVALID_ID_INFORMATION to 1.2.3.4:500
     "S_pdzywall1_0" 1.2.3.4 #62464: max number of retransmissions (2) reached STATE_MAIN_R2
Cookie Information Banner