ZyXEL → Zywall 35 vs USG 100 IPsec issues

I'm having serious IPsec issues with these two firewalls. Unfortunately I have lot of experience with IPsec and I'm starting to feel that there is (once again) compatibility issue between these two ZyWALL firewalls.

I have one Gateway policy and two network policies.

Shortly another of the network policies gets disconnected all the time. We have at least triple checked all configuration options and also tried simpler settings, without results. It seems that two network rules inside gateway policy simply doesn't work with this firewall combination. Based on my experience with IPsec it wouldn't be anything new. State machine is very very often more or less broken within many IPsec implementations.

Configuration sample (from ZyWALL 35 standpoint):
Gateway policy:
Host A - Host B - IKE expire 24h
Network policies:
A) from 192.168.1.0 to 192.168.0.0 expire 8h
B) from 192.186.1.0 to 192.168.2.0 expire 8h

With this configuration for some unknown reason Network policy B seems to get disconnected when initial IKE expires. If we disconnect both network policies and reconnect those, everything works well. Until IKE expires. Network policies A and B are similarly configured, except SA remote IPs. I know that we could solve this issue changing IPs. But that's not the point here. Point here is why another policy works and stays connected and another disconnects when IKE expires. Also all extra features, like PFS, Multiple proposals, Replay detection, DPD etc are disabled. Now were trying to get simple IKE + SA tunnel with DH5,SHA1,AES256 to work in Tunnel, ESP mode.

Any comments, help or so? I'm feeling quite helpless because there aren't any configuration options left to make tunnel setup more simple. Except of course using manual tunnel instead of IKE.

Zyxel support is already working on this. I'll return to this topic when we have resolution.

Why do you have two network policies with overlapping IP ranges? I have had no problems with multiple network policies when using unique IP ranges for each policy.

I think it's totally normal to have N+1 policies with local overlapping IP-ranges. It's required when you route traffic for other or multiple destinations working as routing point. I'll give you sample what kind of configurations we have been using.

Most extreme solutions we have been using are using el cheapo hardware (do Zywalls count s el cheapo?).

One of most widely used config is star configuration where main point is 192.168.0.0 / 255.255.255.0 and nodes connected to start are using 192.168.N.0 / 255.255.2550 networks. In this case we have often made IP-sec tunnels using following rules.

One tunnel for every node, with following policies.
local: 192.168.0.0 / 255.255.0.0 remote:192.168.N.0 / 255.255.255.0

This kind of star configuration did work great even with el cheapo devices from point of routing. Main problem was that their IPsec implementation was totally broken (as usual) and IPsec finite-state machine failed completely.

After reboot all tunnels worked prefectly, but after keys started to expire everything got messed up. And I have tried this with devices from multiple manufactures and it seems to be unfortunaltely totally common feature. But it's trival to fix. And after about 5 firmware cycles we got firmware for these devices that really does work perfectly with this kind of setup.

Personally I think most of these problems were caused because local and remote peer ID's weren't checked properly during tunnel setup. Zywall also started to flood system with rule swap messages.

In this case bug is bit different because now it affects network policies instead of gateway policies.

It seems that Zywall doesn't even allow setting up parallel gateway policies as devices from many other vendors do. (I tried that.)

Detailed configuration data is delivered to Zyxel support. Let's see what they come up with.

Btw. Check this out too:
»ZyWall 35 Dynamic VPN not working [Solved]