Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 5667 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ZyXel UTM Site-to-Site VPN advice?

SSzretter
I am looking for advice, or hopefully sample settings on getting a ZyXEL USG 50 to connect site-to-site to an astaro gateway.    I happen to be running UTM 9 of astaro.     Has anyone done this, and would you be able to share settings on both sides (astaro/zyxel)?   It would be greatly appreciated!


This thread was automatically locked due to age.
Parents
  • 0
    I was able to get it mostly working.   In the site-to-site vpn, it shows two connection blocks.   The top block shows as 'error no connection', the bottom half shows as up and working.   It in fact seems to work, I can connect from and to the site.   I am just not sure why the top half shows the no connection error.     

    This is what my site-to-site screen looks like in the Astaro

    myvpn [1 of 2 IPsec SAs established]
    SA: y.y.y.y/16=x.x.x.x x.x.x.x=x.x.x.x/32
    VPN ID: x.x.x.x
    Error: No connection
    SA: y.y.y.y/16=x.x.x.x x.x.x.x=y.y.y.y/24
    VPN ID: x.x.x.x
    IKE: Auth PSK / Enc AES_CBC_128 / Hash HMAC_SHA1 / Lifetime 86400s / DPD
    ESP: Enc AES_CBC_128 / Hash HMAC_SHA1 / Lifetime 28800s
  • 0 in reply to SSzretter
    Thank you,

    Strange error you get, but you can connect to networkshares over the tunnel?
    Would it be possible to send the zyxel configuration as well?
    I have tried a little, but get a couple of error messages in the Astaro log when I try to connect. And the tunnel does not connect at all.
    This is the log that I get, maybe someone else also has comments on this:

    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: ignoring Vendor ID payload [f758f22668750f03b08df6ebe1******] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: ignoring Vendor ID payload [afcad71368a1f1c96b8696******] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: received Vendor ID payload [RFC 3947] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: received Vendor ID payload [Dead Peer Detection] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: ignoring Vendor ID payload [afcad71368a1f1c96b8696******] 
    2013:06:13-16:22:11 *** pluto[13555]: "S_***_tunnel"[59] 83.250.***.*** #30: responding to Main Mode from unknown peer 83.250.***.*** 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[59] 83.250.***.*** #30: NAT-Traversal: Result using RFC 3947: no NAT detected 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[59] 83.250.***.*** #30: ignoring informational payload, type IPSEC_INITIAL_CONTACT 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[59] 83.250.***.*** #30: Peer ID is ID_USER_FQDN: '***@***.se' 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[60] 83.250.***.*** #30: deleting connection "S_***_tunnel"[59] instance with peer 83.250.***.*** {isakmp=#0/ipsec=#0} 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[60] 83.250.***.*** #30: Dead Peer Detection (RFC 3706) enabled 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[60] 83.250.***.*** #30: sent MR3, ISAKMP SA established 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[60] 83.250.***.*** #30: received Delete SA payload: deleting ISAKMP State #30 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[60] 83.250.***.***: deleting connection "S_***_tunnel"[60] instance with peer 83.250.***.*** {isakmp=#0/ipsec=#0} 
    2013:06:13-16:22:12 *** pluto[13555]: packet from 83.250.***.***:500: Informational Exchange is for an unknown (expired?) SA 
    2013:06:13-16:22:12 *** pluto[13555]: packet from 83.250.***.***:500: Informational Exchange is for an unknown (expired?) SA
Reply
  • 0 in reply to SSzretter
    Thank you,

    Strange error you get, but you can connect to networkshares over the tunnel?
    Would it be possible to send the zyxel configuration as well?
    I have tried a little, but get a couple of error messages in the Astaro log when I try to connect. And the tunnel does not connect at all.
    This is the log that I get, maybe someone else also has comments on this:

    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: ignoring Vendor ID payload [f758f22668750f03b08df6ebe1******] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: ignoring Vendor ID payload [afcad71368a1f1c96b8696******] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: received Vendor ID payload [RFC 3947] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: received Vendor ID payload [Dead Peer Detection] 
    2013:06:13-16:22:11 *** pluto[13555]: packet from 83.250.***.***:500: ignoring Vendor ID payload [afcad71368a1f1c96b8696******] 
    2013:06:13-16:22:11 *** pluto[13555]: "S_***_tunnel"[59] 83.250.***.*** #30: responding to Main Mode from unknown peer 83.250.***.*** 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[59] 83.250.***.*** #30: NAT-Traversal: Result using RFC 3947: no NAT detected 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[59] 83.250.***.*** #30: ignoring informational payload, type IPSEC_INITIAL_CONTACT 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[59] 83.250.***.*** #30: Peer ID is ID_USER_FQDN: '***@***.se' 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[60] 83.250.***.*** #30: deleting connection "S_***_tunnel"[59] instance with peer 83.250.***.*** {isakmp=#0/ipsec=#0} 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[60] 83.250.***.*** #30: Dead Peer Detection (RFC 3706) enabled 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[60] 83.250.***.*** #30: sent MR3, ISAKMP SA established 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[60] 83.250.***.*** #30: received Delete SA payload: deleting ISAKMP State #30 
    2013:06:13-16:22:12 *** pluto[13555]: "S_***_tunnel"[60] 83.250.***.***: deleting connection "S_***_tunnel"[60] instance with peer 83.250.***.*** {isakmp=#0/ipsec=#0} 
    2013:06:13-16:22:12 *** pluto[13555]: packet from 83.250.***.***:500: Informational Exchange is for an unknown (expired?) SA 
    2013:06:13-16:22:12 *** pluto[13555]: packet from 83.250.***.***:500: Informational Exchange is for an unknown (expired?) SA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML