dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
15952
share rss forum feed

hyde1

join:2012-11-16
reply to speedyb

Re: USG 20 vpn - struggling to get this to work

said by speedyb:

I see in your log not that Phase one is successful so we have to focus on the Fase1 settings.. Either the encoding or the PSK is not correct, but I bet it is the encryption settings.

If I understand this page:»support.microsoft.com/kb/325158 microsoft uses 3DES/SHA1 with ESP and no Authentication Header.

So your encryption should include the 3DES with SHA1.

Have you tried the ZyXel VPN Client? »www.zyxel.com/products_services/···html?t=p
Maybe this will work, and can you find more logging from the client side.

1) Can I disable encryption all together and try just to try if it is working?

2) I was under the impression that the VPN client requires license. I noticed you also posted link to client above with download link.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

That VPN client is mostly for connecting to old ZyNOS ZyWall series that don't have L2TP VPN. The ZLD ZyWall series (USG) can connect directly with windows native L2TP client.


speedyb
Premium
join:2012-11-20
netherlands

1 recommendation

reply to hyde1

said by hyde1:

1) Can I disable encryption all together and try just to try if it is working?

You can try by making the encryption optional, and remove the encryption in the GateWay, but I don't know if it will work.

Let us know

said by hyde1:

2) I was under the impression that the VPN client requires license. I noticed you also posted link to client above with download link.

On the Zyxel page there is the download link on the left hand side. So I don't know. But I think it can be used to troubleshoot the IPSec part. Because there it seems failing.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

For whatever it's worth, I've setup a Win7 VM and trying L2TP to USG50.
I can't get past Phase 2. Phase 1 is successful, Phase 2 is "proposal mismatch, no proposal chosen" and I've tried pretty much all proposal combinations.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit

OK, got connected from Win7 to USG50 using native Win7 VPN client.

Phase 1 settings:
SA Life Time: 180 or higher
Mode: Main
Proposal: 3DES-SHA1
Key Group: DH2
NATT: Yes
DPD: Yes (optional)

Phase 2 settings:
SA Life Time: 3600 or higher
Protocol: ESP
Encapsulation: Transport
Proposal: AES128-SHA1, 3DES-SHA1
PFS: none
Replay Detection: Yes (optional)
NetBIOS broadcast over IPSec: Yes (optional)

These settings seems to be working for Andorid 4.0 L2TP VPN as well.


hyde1

join:2012-11-16
reply to Cliffb

After following Brano's quick how-to, and using default Win7 dialer, I am testing the VPN from my office using a router that is actually connected to LAN2. The VPN is still going over internet then coming back to Zywall and it seems to work fine. I will try again when I get home, hopefully it is not a glitch that is allowing VPN to work.

I have one question, though. Even though I get connected, I cannot see any of the other computers on my network. Would I have to change LAN_L2TP to same subnet as my other computers? Even when I did that I couldn't see other network devices or shares.


hyde1

join:2012-11-16
reply to Brano

Update: I got home, and I can connect to VPN (Hurray!) But I see the same behavior, I cannot see any office workstations or network connected equipment (I was hoping I could print through VPN).

It also disables my WiFi internet connection, while it is still connected, I cannot load any websites. I could expect something like this if I had both wired and wireless connections (like I mentioned in another topic) but I only have Wifi and VPN over Wifi. I should still be able to go online even if I did not enable going online through VPN, right?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit

Re-read this thread »L2TP VPN on USG - quick how-to and ensure you have all Firewall and Policy rules setup correctly.

Also ensure all your LAN PC firewalls allow access from your L2TP_VPN_IP_POOL


speedyb
Premium
join:2012-11-20
netherlands
reply to Brano

Brano,

I have now on one of the Zyxels a similar problem. But in my case I see it connecting to the wrong gateway. (For the Site to Site) and not to the one configured in the L2TP.

Any Ideas? Or did you see the same thing in your logging?

Regards,

Bas



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

If it's connecting to wrong gateway that means you must have similar gateway configured with very similar settings. Try to change the gateway in some way ... use different PSK or certificate, different CN in certificate possibly different Phase 1.



cliffb

@vf.net.nz

Well I gave up with the USG, it works as a site to site vpn, but completely useless as a client to site, it just doesn't seem to work, and its not worth the time/money/effort to get going, so its being replace with a unit what just works and an easier config.

I am not surprised the usg20 I am using go discarded by another network engineer here, he could not get it working either, its not a faulty unit, as another does the same.....

so back to ciscos and fortinets...

good luck to the rest of you with usg units, if you get them working I wonder how secure it'll be after everything is turned off to make it work.

my 2c worth, buy a proper firewall that does what you want it to without spending hours to 'try' to get it to work.....time is money

Cliff
New Zealand..


hyde1

join:2012-11-16

2 edits
reply to Brano

I am getting below error using VPN Client evaluation:

»gyazo.com/dcde3426da4506ae20fc7c···54220635

I realize that VPN Client uses IPSEC, not L2TP.
For error 1 I fixed that by going into WIZ_.. local and changing it to another subnet, but I am still getting stuck at phase 1 error below

»gyazo.com/b472694ca4258d2772432c···54220843

I fixed above two by fiddling with settings, now I am getting Phase 2 error..

I realize above will need a connection on its own, I may have to create a new one from scratch to test VPN client.


dale_bentley

join:2013-01-19
reply to cliffb

Cliff,

We setup "client to site" VPN easily on our USG 100 - Zano's instructions vary away from the official Zyxel ones so we used steps detailed here:

»ftp://ftp.zyxel.com/ZYWALL_USG_100/sup···3.00.pdf

We created this IPSEC VPN gateway and connection and then L2TP VPN exactly as listed then added 3 routes - then successfully connected from a Windows 7 external PC using its inbuilt VPN client and also an iPhone.

We also have several "site to site" VPNs in place and again they work well and are easy to setup. Compared to Watchguard, Cisco, etc this is a far easier product to get on with.

Cheers,
Dale.


dale_bentley

join:2013-01-19
reply to hyde1

Hyde1 - if you are still having issues with setup of client to site VPN please let me know.

There is some conflicting information out there that can cause this to fail on Phase 2.

Cheers,
Dale.


hyde1

join:2012-11-16

said by dale_bentley:

Hyde1 - if you are still having issues with setup of client to site VPN please let me know.

There is some conflicting information out there that can cause this to fail on Phase 2.

Cheers,
Dale.

Hi Dale,
Yes, I was still having the problems, until I finally gave up on it, and now my configuration is all over the place. I tried so many different things, I will have to wipe my current configuration totally and start from scratch with a factory reset, which I am willing to do if it will help. For now, we resort to using dropbox to collaborate data (the users just open that database) temporarily.

dale_bentley

join:2013-01-19

1 edit

Hi,

Sorry to hear you still are having issues.

Try removing any VPN Gateway and Connection not currently working for you, download the Zyxel PDF I listed, then follow exact steps listed and even for now use same Gateway and Connection names to make it easy to refer to.

Most important thing I found in Gateway and Connection settings is making the Interface and Local Policy the WAN interface on both, and putting the same 3 proposals this PDF lists, selecting DH2 and make sure encapsulation is Transport.

If you get stuck let me know your email address and maybe I can assist remotely to resolve (no cost of course)

Cheers,
Dale.