Hi guys, hopefully someone can respond in time.
I was doing a remote firmware upgrade, but on the upgrade from 2.20(AQU.6) to 3.00(AQU.0) something got messed up in the VPN config.
I can no longer bring up a tunnel, it fails on phase 1 with "Received informational payload, type NO_PROPOSAL_CHOSEN"
I tried with different phase 1 settings on my client but no luck. I'll head down to it's location in a bit if needed but maybe someone can shed a light on what could have gotten changed. Maybe I can adjust my client and get back in.
Everything else seems to be running fine.
Thanks
↧
USG 200 2.20(AQU.6) -> 3.00(AQU.0) VPN change?
↧
Mac OS X and LT2P VPN with a ZyWALL?
Did anybody get it up and running?
Using OS X 10.10.2 (Yosemite) with the built in VPN client (Racoon) and the ZyWALL 110 with FW 4.10(AAAA.2).
I was able to get past IPSec Phase 1 by adding AES256 and SHA1 to the proposal and changing the keygroup to DH2.
But I am not able to get Phase 2 up and running.....
The cookie pair is : 0x8d3f86b0e0892653 / 0x0000000000000000
Recv Main Mode request from [77.40.138.9]
The cookie pair is : 0x30429b912cdb6f40 / 0x8d3f86b0e0892653 [count=3]
Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
The cookie pair is : 0x8d3f86b0e0892653 / 0x30429b912cdb6f40 [count=2]
Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
Recv:[KE][NONCE][PRV][PRV]
Send:[KE][NONCE][PRV][PRV]
Recv:[ID][HASH][NOTIFY:INITIAL_CONTACT]
The cookie pair is : 0x8d3f86b0e0892653 / 0x30429b912cdb6f40 [count=2]
Send:[ID][HASH]
The cookie pair is : 0x8d3f86b0e0892653 / 0x30429b912cdb6f40 [count=2]
Phase 1 IKE SA process done
The cookie pair is : 0x30429b912cdb6f40 / 0x8d3f86b0e0892653
Recv:[HASH][SA][NONCE][ID][ID][PRV][PRV]
[SA] : No proposal chosen
Send:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN]
The cookie pair is : 0x30429b912cdb6f40 / 0x8d3f86b0e0892653 [count=2]
Recv:[HASH][DEL]
Received delete notification
The cookie pair is : 0x8d3f86b0e0892653 / 0x30429b912cdb6f40
ISAKMP SA [L2TP_IPSEC_Dyn_GW] is disconnected
This is a roadwarrior setup, so the idea is that people* "dial-in" from anywhere.
*friggin (l)users that aren't happy with a ssh tunnel through my little dark server in the corner.... its to difficult, nag nag nag :D
--
"Perl is executable line noise, Python is executable pseudo-code."
↧
↧
Slow site-to-site VPN
I have two sites:
A 500mb/s download, 10mb/s upload, USG 110
B 30mb/s, 1.5mb/s upload, USG 40
and I am running a site to site ipsec vpn between then to sync NAS.
I've just upgraded site A speed from 200/5 to 500/10 which is much more expensive, but the vpn speed stays the same: around 500KB/s
I get the full 10mbs upload in ftp to my cloud servers.
What is slowing me down? Do I need to upgrade site B speed? I've already upgraded the VPN machines to the latest hardware and firmware - before this I had USG 100/20. A lot of money spent, but so far the data sync speed is not improving.
↧
which VPN to use for multi site file share, printers and internal site?
Hello again,
I have 8 sites, all wanting to share files, printers and have access to an internal website hosted at the head office. The VPN would be for internal traffic only, as each site can use its own WAN connection for everything else.
What VPN would you recommend, i do have to consider that they're might be two remote users (on the road with laptops) that will also need to connect to the VPN from time to time to submit reports. So in the interest of speed and Security - which VPN would you choose. (the sites have Zyxel 20w's, while the headoffice has Zyxel 310).
Thanks in advance,
PS: if there is a donate button for this forum or its frequent users send me in its direction its been an excellent source of FREE help and ideas :o)
↧
ZYWALL USG 50 - creating two separate networks
Dear all,
I´ve been struggling with the following problem/task.
We´re extending our company´s network to the shop floor, which means I need to completely separate the shop floor - "LAN2" from "LAN1" due to several reasons, mainly security.
My aim is to:
- enable all LAN1 (offices & servers) to LAN2 connections (file sharing, remote desktop and other tasks)
- disable all LAN2 to LAN1 connection (with some exceptions, but that´s not so important)
- disable zywall and other network products management from LAN2
My first attempt was to create simple firewall rules to deny LAN2 to LAN1 and enable LAN1 to LAN2 connections (port 3 & 4 are set up as "LAN1" and port 5 & 6 are set up as "LAN2"). But I was unable to successfully set it up. I can still get access to IP from LAN1 and connect to zywall for example.
I´ve been stalking through several topics, but I haven´t really found a real solution. Should I be trying to achieve this with VLANs? I´ve got a CISCO managed switch SG200-18 and tree older switches in the network.
I´d be really thankful for any help and steps, how to achieve my goal.
Thank you for all the support,
kind regards,
Boris.
↧
↧
IPSec tunnel stops transporting traffic after a while
Hi all,
Thanks for all your help getting IPSec IKEv2 VPN going... Now I've stumbled into another vpn-related problem :-(
The problem is that the tunnel stops transporting traffic after a while. The tunnel doesn't go down, it just stops transporting traffic through the tunnel. The VPN is used for remote users connecting to the office, not for site-to-site VPN. The remote users is using the built in client in Windows 7 and Windows 8.
I've tried with both "IPSec IKEv2 VPN" and "L2TP over IPSec VPN". It happens with both but the results are somewhat mixed...
I've timed the connections for how long time the tunnels are transporting traffic. I used the tool tcping to ping a resouce through the tunnel. All the tool does is to set up a TCP-connection and then tear it down again with an interval of one second. A nice thing is that it's also possible to get timestamps.
When connected with "IPSec IKEv2 VPN" the traffic stops after around 55 minutes and 30 seconds. After that I can't reach anything through the tunnel, even though the tunnel is still up. I've only timed it once but the feeling is that it always happens at around the same time every time.
It's a little different story with "L2TP over IPSec". The communication stays up for 4 hours 53 minutes and 25 seconds (also only timed once). However... this test was run over night and to my surprise 3 minutes and 45 seconds after the tunnel seemed to stop transporting traffic, one TCP-ping actually went through and after three more minutes another TCP-ping also made it through... Then after that nothing for several hours.
To make it work again I have to disconnect the VPN and reconnect again.
The SA Life Time is set to the default 86400 (24 hours) for both the VPN Gateway (phase1) and the VPN Connection (phase2)
For L2TP the Keep Alive is set to the default 60 seconds.
So... does anyone have an idea on why this is happening?
↧
Configure USG60 for DHCP and static IP pass-thru
Looking to replicate the behavior of a Comcast modem which can simultaneously pass through statics to devices on its LAN ports and act as a DHCP server for devices without static assignments.
So devices that are hanging off a switch on LAN Port 1 might have statics within the subnet assigned to WAN1 or be setup for DHCP to receive and address from the USG60.
Is this possible? If so, how?
↧
Configuration of Zyxel USG200
Hi All,
I have recently upgraded my Zyxel USG20 router to a better model (USG 200) and have gotten some troubles connecting it to the internet
Im not a pro in networking but have managed previously to configure USG20, which has been working without any problems for a couple of years.
Now, Im trying to use basically the same configuration steps for USG 200, but it simply cannot get an IP from my ISP. Im using a cable modem in a bridge mode with a static IP, and USG20 gets this IP without any problems, so my entire home network have an access to the internet. When I connect the modem to USG200 (to wan1), it shows me that the cable is connected, but ip is 0.0.0.0. Ive tried to renew it in Dashboard a number of times, but it does not help.
Do I miss something important, something I have forgotten after I did the initial configuration of USG20 couple of years ago? When I connect back the USG20 no problems, gets IP from ISP in a second
USG200 has the last firmware.
Thanks in advance for a help.
↧
new ZyXEL VSG1432 reference firmware
https://zyxel.app.box.com/s/2m0782a043353tzxy7ee
The new version is: V1.12(AADX.3)C0 ...my modem shipped with V1.12(AADX.2)C0
How I got this:
ZyXEL will normally tell you that firmware is not available for this modem and that the ISP is the one who provides the firmware. That's usually correct.
HOWEVER, there are two types of firmware.
1) the reference firmware that ZyXEL puts on the modem before it's provided to the ISP
2) the customized firmware that the ISP puts on the modem which is what they always think you're asking for when you first mention it to them
The first one is the one you're interested in, especially if you purchased your modem OUTSIDE of your ISP like me...and that's the point you need to make to them.
NOTE: I don't have the details on what the new firmware does or what the date is...I will try to get that later.
↧
↧
Reserved DHCP table error 4005
Good afternoon!
Hopefully someone can suggest something other than resetting to factory for a problem I'm having with DHCP table.
From the dashboard I click DHCP table and I'm show the list of 50 odd devices. At the bottom are 3 devices with the reserve tick in the far right column. One of those I want to unreserve but everytime I untick the box I get error message " CLI Number: 1 Error Number: -4005 Error Message: DHCP pool does not exist"
If I go to interface > Ethernet > ge2 and scroll to the bottom only 2 it's are reserved not 3 as are displayed in the DHCP table. The one I want to remove is not there. I've rebooted and shutdown.
Does anyone know how to fix this or a way via console to blow out all the reserved ip's? Anything!?
Thanks in advance,
Mike
↧
zyxel zywall 110
Hey everyone,
I recently purchased a zywall 110 and have been able to configure a site to site VPN with no issues.
There is and issue however when I need to NAT an address, these VPN connections seem to be connecting but I can't exchange information. Can anyone provide a really good example of how to NAT within the VPN?
On the IPSEC VPN connections right now I have the outgoing nat traffic at the bottom set to:
Source: my local IP
Destination: the remote IP
SNAT: the natted IP
at the top I have:
Local: natted IP
Remote: the remote IP
I have the destination nat also checked:
Source: local IP
Mapped IP: natted IP
When testing I was able to see traffic coming into the VPN tunnel but nothing going out. Do I need to set up something under routing also? I tried turning the firewall off and testing that way as well with no luck just in case it was a weird firewall rule being set.
Any help would be much appreciated, thanks!
↧
Zywall 110 - subnets - ping
Hi,
I have a zywall 110 and I am having problems accessing the Zywall from different subnets.
Here is what happens when WAN interface is activated:
1. I can NOT ping and access the admin interface of the zywall from a computer on a different subnet
2. I can ping a computer that is on the same subnet as the firewall from a computer on a different subnet
3. I can ping and access the firewall from a computer on the same subnet
As you probably understand I am having problem with number 1.
But the strange thing is that if I inactive WAN then everything works, I can both ping and access from the same computer as number 1.
Of course I need the WAN activated.
What can the problem be?
Best regards,
Adam
↧
USG 50 FTP Server hot mess
Ok so the basics. I had an issue a year ago trying to setup FileZilla's FTP Server and I couldn't figure it out. Flash forward a year and a buddy told me Windows 7's built-in IIS was much easier.
I configured everything (1 minute process) so that I can login to my FTP server across LANS just fine using the private IP addresses. The problem is the minute I try to login using my public IP to test I get this certificate error and I have no idea why the USG 50 is pushing this cert out in the first place.
http://i2.minus.com/jBPNKsRDBdo62.png
If I hit "OK" it just gives me a 530 denied error. Any help would be greatly appreciated. I'm getting so frustrated with having to really coddle the ZyXel products. It just seems like they make things far more complicated than they should be, or maybe I'm missing something.
Thanks in advance.
↧
↧
USG 110 low throughput
I have a USG 110.
Until recently I had a 200mb/s downlink, and I got almost all of it through the router.
I am using about 30 firewall rules, ADP, and no UTM services.
Now I upgraded to 500mb/s downlink.
Connect PC direct to ISP modem/router - I get full 500mb/s on test, 270 mb/s using my program.
Connect through USG with firewall on - I get 150-200mb/s on test, 100 using my program.
Connect through USG with firewall off - I get 200,b/s on test, 100 using my program.
Connect through ASUS RT-N66U - a very simple home router - I get the full 500 on test, 270 using my program.
These numbers tell me a clear story, which is that even the new gen USG are too slow.
I am not able to get support from ZyXEL and at this point I believe the hardware just isn't up to it.
If anyone can shed any light on this situation I would be very happy to hear.
Otherwise I plan to sell this and buy a Check Point SOHO unit.
↧
USG210 Dual WAN and Dual LAN problem
Good day, experts :)
Can you please help me? We changed Zywall 70 to USG210 and need solution for my problem. We have 2 WAN from different ISPs and 2 LAN (for using in local network different gateways for pcs, devices). How i find now "user 1" with LAN1 gateway can go throw WAN1 or WAN2 depending on .... dont know what. Sometimes user changes ip adress during browsing.
Enable Device HA not checked. How can i disable WAN trunk? How to set what LAN1 goes throw WAN1 and LAN2 throw WAN2 only?
Thanks :)
↧
new console cable - replacement for lost cable
Afternoon,
Anyone know where i can get a replacement console cable for a Zyxel Zywall 310? I have a load of Cisco console cables and a few Zyxel 20w console cables but neither of those will do the job.
Had a quick google but couldnt find anything - amazon sell this http://www.amazon.co.uk/Plugable-Adapter-Prolific-PL2303HX-Chipset/dp/B00425S1H8/ref=sr_1_2?ie=UTF8&qid=1424431929&sr=8-2&keywords=console+cable but will it work? its got the correct female DB9 connection plus its to USB so no need for the converter but will the cable layout be correct?
Thanks in advance,
↧
IPSec from USG 20 (Client Role) to Server: "INVALID_ID_INFORMATION"
I'm trying to connect from my USG 20 to an IPSec Server of the service https://perfect-privacy.com (PP) so that all devices in my LAN surf using that server as a proxy.
I'm tired of configuring all Macbooks and iPhones by hand so I want everything to be protected by the VPN. I can connect to the server just fine using the out-of-the-box L2TP/IPsec VPN client built into Mac OS or Cisco IPSec on the iPhone.
PP sells routers which can do that, so it's definitely possible https://www.perfect-privacy.com/vpn-router and I know the servers support the following protocols:
IKEv1 XAUTHPSK (Cisco IPSEC using PSK)
IKEv1 XAUTHRSASIG (Cisco IPSEC using certificate)
IKEv1 L2TP PSK (L2TP over IPSEC using PSK)
IKEv1 L2TP PubKey (L2TP over IPSEC using certificate)
IKEv2 PubKey EAP MS-CHAPv2 (Windows using certificate)
If I do not use XAUTH, I can establish the tunnel from the ZyWall. However, XAUTH is needed for the service to work. But as soon as I enable XAUTH, the Phase 2 negotiation fails and the server replies INVALID_ID_INFORMATION after my ZyWall sends the [HASH][SA][NONCE][ID][ID] IKE message.
I assume this has to do with the local and remote policies in the VPN Connection settings.
I'm using IPSec transport mode and my WAN IP is public (I'm not NATed). So there is really not much choice for what the local/remote policies can be. ZyWAll demands that the address types are Interface IP or Host. I tried my WAN Interface IP as the local policy and the Server IP as remote Host policy.
I tried out all combinations I could come up with, including 0.0.0.0 but all result in the same error. Even when using IPSec tunnel" mode and local/remote policies of the type "subnet", every combination I tried resulted in the same error.
Now I have a few questions:
A) What exactly is the INVALID_ID_INFORMATION referring to? The local/remote policies in Phase 2, or the local/remote IDs in Phase 1, or maybe both?
B) I don't know how to debug the actual message contents of the Phase 2 negotiation. Is there a way to do that from the console?
C) What is the difference between the crypto map scenario site-to-site-static and remote-access-client in my use case? I could never figure out the difference.
This is my entire (anonymized) VPN configuration: https://gist.github.com/anonymous/ac6e8b41f6d22bc58548 Apart from that I have hardly any settings on the ZyWall. No bridges, no NATs, no VLANS, no other tunnels...
Thank you very much for your time.
(It's hard to google this because most things relate to the ZyWall being the IPSec server, which is not the case here.)
↧
↧
USG 100 multiple VPN with multiple WAN ip addresses
I have a ZyWall USG 100 where I setup IpSec VPN for remote access (server role) already used by some users, this works fine.
Now I want to add an additional L2TP VPN for remote access and, to avoid conflicts, I decided to use a separate WAN IP address (I have 4 IPs), that is:
VPN Lxxx (plain ipsec) use wan:1, l2tp use wan1:2.
If I enable only one VPN at time, everything works fine however, if both are enabled, L2TP connection fail, in the log I get (among other logs):
"IKE [ID]: Tunnel[Lxxx] Local IP mismatch", source address is wan1:2 (!!)
Note that Lxxx in the (plain) IpSec VPN configured with wan1 address, despite that the zywall is trying to match the connection with it and not the l2tp Connection configured with wan1:2 address.
Is there a way to make the Zywall to keep the VPN separated based on the configured wan IP and not mix them?
Thank you in advance for any advise.
↧
USG 100, L2TP and split tunnel
I have setup a L2TP VPN on the USG 100, the problem I have is that I want the vpn client to connect to the local network only to access local resources (local subnet) and use their internet connection for anything else.
I read and tested the CMAK trick to deploy L2TP client with routing setup to windows clients, BUT this require the connecting user to have administrative privilege on the windows PC and in my scenario this is a no go.
I read that using some old fw version the L2TP ip poll was configured using part of the lan1 subnet, is this still possible? I tried but didn't work, but maybe I did it wrong.
This way I won't need to setup a route on the client PC connecting to USG.
Thank you in advance for any advise.
↧
USG 60 UTM firewall rules: DOES UTM FILTER WAN TO ANY??
Finally new USG 60 arrived after the great work of the USG 100.
settings of the utm services are changed and there are no more settings where to set for example WAN to LAN, WAN to DMZ and so on. You must set all in the firewall screen, now known as POLICY CONTROL.
Exception for the ADP where you can find the field "FROM" set default as WAN but you can set as ANY.
The problem is that in the default rule of the firewall, the rule that DENY all traffic, you CANNOT set the UTM services! Is this strange or not?
And this is not the end!
If you create firewall rules, you can set which UTM service to activate ONLY in rules where the traffic is from your LAN/DMZ to WAN. It is NOT possible to create a rule (same as the default DENY ALL rule) where you can set the DENY and also the UTM services....same thing if you want to create a rule that filters with UTM services traffic from WAN to DMZ. But from DMZ to WAN is POSSIBLE!!!!!
Is possible if you do a LAN to DMZ because you ALLOW that traffic, but if you DENY, the section down in the screen simply hides the UTM options.
Also, if you create other rules as WAN to ANY with DENY you cannot set UTM profiles.
LOL! IDP, for example, must work from WAN to ANY/LAN/DMZ doing intrusion detection... and you can also set a ANY to WAN in the old USG series doing "extrusion detection" and same thing for antivirus.
With this new USGs you can use UTM services only for traffic from YOU and INTERNET but not viceversa.
How could be possible??? Sincerely I never read in the manual that, for example, the default firewall rule uses the UTM services if they are activated in other options.
Could be me, It's possible I have not understood something but all this is simply without logic.
↧
