Theme

Welcome · log in · join	food

Home

Reviews

Speed Test

	All Forums		Hot Topics		Gallery

Forums → Equipment Support → Hardware By Brand →

ZyXEL → Re: USG 20 vpn - struggling to get this to work

uniqs
44

« Is Zyxel blowing smoke? • Zywall USG-200 firmware upgrade »

This is a sub-selection from USG 20 vpn - struggling to get this to work

speedyb Premium Member join:2012-11-20 netherlands 1 recommendation	speedyb to hyde1 Premium Member 2012-Nov-25 3:37 pm to hyde1 Re: USG 20 vpn - struggling to get this to work I see in your log not that Phase one is successful so we have to focus on the Fase1 settings.. Either the encoding or the PSK is not correct, but I bet it is the encryption settings. If I understand this page:»support.microsoft.com/kb/325158 microsoft uses 3DES/SHA1 with ESP and no Authentication Header. So your encryption should include the 3DES with SHA1. Have you tried the ZyXel VPN Client? »www.zyxel.com/products_s ··· html?t=p Maybe this will work, and can you find more logging from the client side.
	actions · 2012-Nov-25 3:37 pm ·
hyde1 join:2012-11-16	hyde1 Member 2012-Nov-25 10:57 pm said by speedyb: I see in your log not that Phase one is successful so we have to focus on the Fase1 settings.. Either the encoding or the PSK is not correct, but I bet it is the encryption settings. If I understand this page:»support.microsoft.com/kb/325158 microsoft uses 3DES/SHA1 with ESP and no Authentication Header. So your encryption should include the 3DES with SHA1. Have you tried the ZyXel VPN Client? »www.zyxel.com/products_s ··· html?t=p Maybe this will work, and can you find more logging from the client side. 1) Can I disable encryption all together and try just to try if it is working? 2) I was under the impression that the VPN client requires license. I noticed you also posted link to client above with download link.
	actions · 2012-Nov-25 10:57 pm ·
Brano I hate Vogons MVM join:2002-06-25 Burlington, ON	Brano MVM 2012-Nov-25 11:11 pm That VPN client is mostly for connecting to old ZyNOS ZyWall series that don't have L2TP VPN. The ZLD ZyWall series (USG) can connect directly with windows native L2TP client.
	actions · 2012-Nov-25 11:11 pm ·
speedyb Premium Member join:2012-11-20 netherlands 1 recommendation	speedyb to hyde1 Premium Member 2012-Nov-26 3:20 am to hyde1 said by hyde1: 1) Can I disable encryption all together and try just to try if it is working? You can try by making the encryption optional, and remove the encryption in the GateWay, but I don't know if it will work. Let us know said by hyde1: 2) I was under the impression that the VPN client requires license. I noticed you also posted link to client above with download link. On the Zyxel page there is the download link on the left hand side. So I don't know. But I think it can be used to troubleshoot the IPSec part. Because there it seems failing.
	actions · 2012-Nov-26 3:20 am ·
Brano I hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16	Brano MVM 2012-Nov-26 2:52 pm For whatever it's worth, I've setup a Win7 VM and trying L2TP to USG50. I can't get past Phase 2. Phase 1 is successful, Phase 2 is "proposal mismatch, no proposal chosen" and I've tried pretty much all proposal combinations.
	actions · 2012-Nov-26 2:52 pm ·

Brano 1 edit	Brano MVM 2012-Nov-26 4:05 pm OK, got connected from Win7 to USG50 using native Win7 VPN client. Phase 1 settings: SA Life Time: 180 or higher Mode: Main Proposal: 3DES-SHA1 Key Group: DH2 NATT: Yes DPD: Yes (optional) Phase 2 settings: SA Life Time: 3600 or higher Protocol: ESP Encapsulation: Transport Proposal: AES128-SHA1, 3DES-SHA1 PFS: none Replay Detection: Yes (optional) NetBIOS broadcast over IPSec: Yes (optional) These settings seems to be working for Andorid 4.0 L2TP VPN as well.
	actions · 2012-Nov-26 4:05 pm ·

hyde1 join:2012-11-16	hyde1 Member 2012-Nov-26 7:45 pm Update: I got home, and I can connect to VPN (Hurray!) But I see the same behavior, I cannot see any office workstations or network connected equipment (I was hoping I could print through VPN). It also disables my WiFi internet connection, while it is still connected, I cannot load any websites. I could expect something like this if I had both wired and wireless connections (like I mentioned in another topic) but I only have Wifi and VPN over Wifi. I should still be able to go online even if I did not enable going online through VPN, right?
	actions · 2012-Nov-26 7:45 pm ·
Brano I hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16 1 edit	Brano MVM 2012-Nov-26 8:50 pm Re-read this thread »L2TP VPN on USG - quick how-to and ensure you have all Firewall and Policy rules setup correctly. Also ensure all your LAN PC firewalls allow access from your L2TP_VPN_IP_POOL
	actions · 2012-Nov-26 8:50 pm ·
speedyb Premium Member join:2012-11-20 netherlands	speedyb to Brano Premium Member 2012-Nov-27 5:27 am to Brano Brano, I have now on one of the Zyxels a similar problem. But in my case I see it connecting to the wrong gateway. (For the Site to Site) and not to the one configured in the L2TP. Any Ideas? Or did you see the same thing in your logging? Regards, Bas
	actions · 2012-Nov-27 5:27 am ·
Brano I hate Vogons MVM join:2002-06-25 Burlington, ON	Brano MVM 2012-Nov-27 9:18 am If it's connecting to wrong gateway that means you must have similar gateway configured with very similar settings. Try to change the gateway in some way ... use different PSK or certificate, different CN in certificate possibly different Phase 1.
	actions · 2012-Nov-27 9:18 am ·
cliffb @vf.net.nz	cliffb Anon 2012-Nov-27 5:11 pm Well I gave up with the USG, it works as a site to site vpn, but completely useless as a client to site, it just doesn't seem to work, and its not worth the time/money/effort to get going, so its being replace with a unit what just works and an easier config. I am not surprised the usg20 I am using go discarded by another network engineer here, he could not get it working either, its not a faulty unit, as another does the same..... so back to ciscos and fortinets... good luck to the rest of you with usg units, if you get them working I wonder how secure it'll be after everything is turned off to make it work. my 2c worth, buy a proper firewall that does what you want it to without spending hours to 'try' to get it to work.....time is money Cliff New Zealand..
	actions · 2012-Nov-27 5:11 pm ·
hyde1 join:2012-11-16 2 edits	hyde1 to Brano Member 2012-Nov-29 3:27 pm to Brano I am getting below error using VPN Client evaluation: »gyazo.com/dcde3426da4506 ··· 54220635 I realize that VPN Client uses IPSEC, not L2TP. For error 1 I fixed that by going into WIZ_.. local and changing it to another subnet, but I am still getting stuck at phase 1 error below »gyazo.com/b472694ca4258d ··· 54220843 I fixed above two by fiddling with settings, now I am getting Phase 2 error.. I realize above will need a connection on its own, I may have to create a new one from scratch to test VPN client.
	actions · 2012-Nov-29 3:27 pm ·
dale_bentley join:2013-01-19	dale_bentley to cliffb Member 2013-Jan-19 6:23 pm to cliffb Cliff, We setup "client to site" VPN easily on our USG 100 - Zano's instructions vary away from the official Zyxel ones so we used steps detailed here: »ftp://ftp.zyxel.com/ZYWALL_USG ··· 3.00.pdf We created this IPSEC VPN gateway and connection and then L2TP VPN exactly as listed then added 3 routes - then successfully connected from a Windows 7 external PC using its inbuilt VPN client and also an iPhone. We also have several "site to site" VPNs in place and again they work well and are easy to setup. Compared to Watchguard, Cisco, etc this is a far easier product to get on with. Cheers, Dale.
	actions · 2013-Jan-19 6:23 pm ·
dale_bentley	dale_bentley to hyde1 Member 2013-Jan-19 6:26 pm to hyde1 Hyde1 - if you are still having issues with setup of client to site VPN please let me know. There is some conflicting information out there that can cause this to fail on Phase 2. Cheers, Dale.
	actions · 2013-Jan-19 6:26 pm ·
hyde1 join:2012-11-16	hyde1 Member 2013-Jan-20 12:36 am said by dale_bentley: Hyde1 - if you are still having issues with setup of client to site VPN please let me know. There is some conflicting information out there that can cause this to fail on Phase 2. Cheers, Dale. Hi Dale, Yes, I was still having the problems, until I finally gave up on it, and now my configuration is all over the place. I tried so many different things, I will have to wipe my current configuration totally and start from scratch with a factory reset, which I am willing to do if it will help. For now, we resort to using dropbox to collaborate data (the users just open that database) temporarily.
	actions · 2013-Jan-20 12:36 am ·
dale_bentley join:2013-01-19 1 edit	dale_bentley Member 2013-Jan-20 1:13 am Hi, Sorry to hear you still are having issues. Try removing any VPN Gateway and Connection not currently working for you, download the Zyxel PDF I listed, then follow exact steps listed and even for now use same Gateway and Connection names to make it easy to refer to. Most important thing I found in Gateway and Connection settings is making the Interface and Local Policy the WAN interface on both, and putting the same 3 proposals this PDF lists, selecting DH2 and make sure encapsulation is Transport. If you get stuck let me know your email address and maybe I can assist remotely to resolve (no cost of course) Cheers, Dale.
	actions · 2013-Jan-20 1:13 am ·

Forums → Equipment Support → Hardware By Brand → ZyXEL	« Is Zyxel blowing smoke? • Zywall USG-200 firmware upgrade »
This is a sub-selection from USG 20 vpn - struggling to get this to work