Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 5667 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ZyXel UTM Site-to-Site VPN advice?

SSzretter
I am looking for advice, or hopefully sample settings on getting a ZyXEL USG 50 to connect site-to-site to an astaro gateway.    I happen to be running UTM 9 of astaro.     Has anyone done this, and would you be able to share settings on both sides (astaro/zyxel)?   It would be greatly appreciated!


This thread was automatically locked due to age.
Parents
  • 0
    Peer ID is ID_USER_FQDN: 'oc23@hotmail.se' 

    Like papa said...  That's not an FQDN.  I wonder if you haven't run afoul of what I call The Zeroeth Rule:

    Start with a hostname that is an FQDN resolvable in public DNS to your public IP.
    If you didn't do that, start over with a factory reset; it will save you hours and frustration.


    Is that your issue?  There are workarounds, but...

    Are you doing this with certificates, a PSK or RSA keys?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Peer ID is ID_USER_FQDN: 'oc23@hotmail.se' 

    Like papa said...  That's not an FQDN.  I wonder if you haven't run afoul of what I call The Zeroeth Rule:

    Start with a hostname that is an FQDN resolvable in public DNS to your public IP.
    If you didn't do that, start over with a factory reset; it will save you hours and frustration.


    Is that your issue?  There are workarounds, but...

    Are you doing this with certificates, a PSK or RSA keys?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    Thank you,

    I only work on this problem occasionally, because of many other customers needs.

    Oh, that is true.. Changed that email-adress to the dyndns adress instead.

    It is true that the hostname on the Astaro at first was not the dyndns name but something different. I changed that though at the same time I first tried to get this tunnel up and running. But if I understand you right, it can still be bad things left in the system because of this?

    I now tried to change several things, just to get any tunnel up. I am using PSK, just to make it simple. But I don't get the tunnel up and running anyway.
    I only have a dynamic IP on the zywall side, but just for testing I use that IP as if it was static for the moment.

    This is from the Astaro log, when Astaro tries to initiates the connection:
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #63: starting keying attempt 46 of an unlimited number
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: initiating Main Mode to replace #63
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: ignoring Vendor ID payload [f758f22668750f03b08df6ebe1******]
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: ignoring Vendor ID payload [afcad71368a1f1c96b8696******]
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: received Vendor ID payload [RFC 3947]
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: received Vendor ID payload [XAUTH]
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: received Vendor ID payload [Dead Peer Detection]
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: ignoring Vendor ID payload [afcad71368a1f1c96b8696******]
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: ignoring Vendor ID payload [Cisco-Unity]
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: enabling possible NAT-traversal with method 3
    2013:06:17-18:46:52 oc23 pluto[26339]: "S_oc23_gw2" #64: NAT-Traversal: Result using RFC 3947: no NAT detected
    2013:06:17-18:48:02 oc23 pluto[26339]: "S_oc23_gw2" #64: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 

    Log from Astaro, when the Zywall tries to initiate the connection:
    2013:06:17-18:49:33 oc23 pluto[26339]: packet from 83.250.111.111:500: ignoring Vendor ID payload [f758f22668750f03b08df6ebe1******]
    2013:06:17-18:49:33 oc23 pluto[26339]: packet from 83.250.111.111:500: ignoring Vendor ID payload [afcad71368a1f1c96b8696******]
    2013:06:17-18:49:33 oc23 pluto[26339]: packet from 83.250.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2013:06:17-18:49:33 oc23 pluto[26339]: packet from 83.250.111.111:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2013:06:17-18:49:33 oc23 pluto[26339]: packet from 83.250.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2013:06:17-18:49:33 oc23 pluto[26339]: packet from 83.250.111.111:500: received Vendor ID payload [RFC 3947]
    2013:06:17-18:49:33 oc23 pluto[26339]: packet from 83.250.111.111:500: received Vendor ID payload [Dead Peer Detection]
    2013:06:17-18:49:33 oc23 pluto[26339]: packet from 83.250.111.111:500: ignoring Vendor ID payload [afcad71368a1f1c96b8696******]
    2013:06:17-18:49:33 oc23 pluto[26339]: "S_oc23_gw2" #67: responding to Main Mode
    2013:06:17-18:49:33 oc23 pluto[26339]: "S_oc23_gw2" #67: NAT-Traversal: Result using RFC 3947: no NAT detected
    2013:06:17-18:49:33 oc23 pluto[26339]: "S_oc23_gw2" #67: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2013:06:17-18:49:33 oc23 pluto[26339]: "S_oc23_gw2" #67: Peer ID is ID_IPV4_ADDR: '83.250.111.111'
    2013:06:17-18:49:33 oc23 pluto[26339]: "S_oc23_gw2" #67: Dead Peer Detection (RFC 3706) enabled
    2013:06:17-18:49:33 oc23 pluto[26339]: "S_oc23_gw2" #67: sent MR3, ISAKMP SA established
    2013:06:17-18:49:33 oc23 pluto[26339]: "S_oc23_gw2" #67: received Delete SA payload: deleting ISAKMP State #67
    2013:06:17-18:49:33 oc23 pluto[26339]: packet from 83.250.111.111:500: Informational Exchange is for an unknown (expired?) SA
    2013:06:17-18:49:33 oc23 pluto[26339]: packet from 83.250.111.111:500: Informational Exchange is for an unknown (expired?) SA

    Best Regards
    Andreas
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML