|
ZyWall 2x VPN Client?Hey Guys been a while i've been on DSL reports..
Initially i started off with a ZyWall 2x at both my office and home after i got recommendation by Anav many years ago, I moved up to the 2wg for my office and NBG5715, although i had great results with the 2wg, the NBG5715 has been nothing short of a fiasco..VPN was not working properly and it's thanks to me pushing on many occasions and complainging that the new firmware came out..
Anyhow, now onto my question, I have a ZyWall 2x lying around and a customer of mine asked for a low cost VPN solution, knowing the unit still works flawlessly I was wondering where I can get the VPN client that works in conjunction with the router.
Thx |
|
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2013-Oct-15 6:58 pm
You can try the Draytek VPN client » VPN client from DrayTekBut really, Z2X is way too old, it will limit any modern connection speeds, consider upgrading. |
|
|
Customer is cheap and will have only 1 person from Florida connecting to the server in order to access this program called "fishbowl".. I was planning on bridging the 2x to their actual router, disabling DHCP and using it for its VPN functionality..What do you think? Will i run into issues? Also, i read up some posts and was told to install the following client; » www.shrew.net/support/wi ··· toZywallLast but not least, i'm also considering upgrading my own ZyWall 2wg for the U20w and offer the 2wg to my customer as a better solution, how much do you think a fair price would be for the 2wg? And considering i'm using it @ my home office, is it worth doing the upgrade? Thanks for your time Brano, you'we always helped out through all the years i've used Zyxel. Samy |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2013-Oct-15 8:38 pm
2x will work as VPN endpoint with proper client connecting to it. Shrew should work.
As for price, I hate to say it, but personally I would not pay more than $20 for 2x or 2wg. Any new $40 router with WRT derivative will beat it today. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2013-Oct-16 11:40 am
2x = recycle at your local depot for electronics |
|
|
Would you consider the u20w a good replacement for the 2wg and should i upgrade or should i consider something in cisco or sonicwall? |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2013-Oct-16 8:03 pm
I would probably only consider wired routers and use a separate device for WIFI. For example home I have a Linksys, a trendnet and an ASUS wifi router as Access points serving three floors. In this way I can place the wifi radio where it best suits the house vice next to the router. As well its much easier to change out an ancillary wifi device as the technology tends to change faster. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
1 edit |
to Sarv Atam
Also there are new models coming out, really depends on your needs. And the UTM portion of USG is seriously under-powered. That said, USG20 is still pretty good deal for the money. ...all depends what you need it for and what's the budget.
But I agree with Alex, separate AP is the way to go. |
|
|
Guys, for learning purposes i tried setting up shrew with the 2x, yet am not sure of a couple of things.. I'm not sure what needs to be entered for Peer ID Type & Content, any suggestions? Thanks again for all your time and suggestions |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2013-Oct-18 5:36 am
It can be anything, but it has to be same on both ends. Local ID = Remote ID. The content can be made up or real, it does not matter, just a string that has to match. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2013-Oct-18 8:39 am
I use a fake email address in my VPN setup:
AnavIsBranos@hero.com |
|
|
Thanks guys but i still can't get the vpn up and running,do i need to open any ports on the main router? Here are some screenshots, unfortunately i'm still a beginner with this type of setup and your input is really appreciated |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
to Sarv Atam
|
|
Anav |
to Sarv Atam
Other stuff that may help....... » ftp:// ftp.zyxel.com/ZyWALL_2_P ··· 4.03.pdf» ec1.images-amazon.com/me ··· 4529.pdfThere used to be support notes and these usually had examples, just cant find it now for the 2x. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
to Sarv Atam
If this is behind other router then you need to forward ports UDP:500, UDP:4500 and allow VPN pass-through. |
|
2 edits |
Thanks Anav for all the links, i think my knowledge of VPNs is not advanced enough to troubleshoot the problem.. I used the steps provided by Shrew to setup everything but i can't get it to connect, i'm actually thinking of maybe going with the Zyxel VPN client, should be easier to configure right? At least i can get support on it from Zyxel.. Brano, i opened UDP ports 500 & 4500 on the 2wire router / modem but could not find any IPsec passtrough option, i googled but couldn't find anything on it as well.. Overall i'm wondering if there's a way to debug the vpn settings inorder to find the problem, too many variables makes it almost inpossible for me to find the issue Looks like some sort of negotiation is being done but not completing.. 10/19/2013 01:27:13 Rule [1] IKE packet retransmit count reached IPSEC 3 10/19/2013 01:26:41 !! IKE Packet Retransmit 192.168.2.2 174.92.159.141 IKE 4 10/19/2013 01:26:25 !! IKE Packet Retransmit 192.168.2.2 174.92.159.141 IKE 5 10/19/2013 01:26:17 !! IKE Packet Retransmit 192.168.2.2 174.92.159.141 IKE 6 10/19/2013 01:26:13 Send:[SA][KE][NONCE][ID][HASH][VID] 192.168.2.2 174.92.159.141 IKE 7 10/19/2013 01:26:11 Recv:[SA][KE][NONCE][ID][VID][VID][ 174.92.159.141 192.168.2.2 IKE 8 10/19/2013 01:26:11 Recv Aggressive Mode request from [174.92.159.141] 174.92.159.141 192.168.2.2 IKE 9 10/19/2013 01:26:11 Rule [1] Receiving IKE request 174.92.159.141 192.168.2.2 IKE 10 10/19/2013 01:25:12 Rule [1] IKE packet retransmit count reached IPSEC |
|
Sarv Atam |
to Brano
I'm forwarding the UDP ports to the zywall's IP and the the server behind it right? |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2013-Oct-19 1:59 pm
OK, I'm really confused about your setup. Let's back up a bit please. Post a diagram of your network ... modem, main gateway router, zywall, server, lan. ...let's get a clear understanding how things are and what's the desired end status. |
|
|
|
|
gb5102 join:2003-10-07 Saint Paul, MN |
gb5102
Member
2013-Oct-20 4:24 pm
I'm thinking it is due to 2701HG not supporting IPSEC passthru (protocol 50- ESP) but I cant really seem to find a definitive answer if its supported or not
can you enable DMZ+ mode on the 2701HG? If i remember correctly when you do this it will actually pass-thru the public IP(via DHCP) to your zywall with no filtering or firewall/nat, while still allowing your other NAT'ed clients on the LAN to work normally. |
|
|
LOL I came to the same conclusion, after doing some research I could not find a definitive answer myself..I will DMZ as you mentioned and i will post back |
|
Sarv Atam |
Here is Shrew configuration file snapshots |
|
gb5102 join:2003-10-07 Saint Paul, MN |
to Sarv Atam
I can't stand those integrated modem/router thingies...especially the uverse ones since you can't even properly bridge them...Just hope you never have the pleasure of being stuck with their 'business class' NVG510... |
|
gb5102 |
to Sarv Atam
so guessing its still not working? |
|
|
I'm getting The selected device has a static IP address. DMZplus requires that the selected device use DHCP to obtain its IP address. I don't think there's a way to setup the LAN IP to DHCP on the 2x, i would bridge the 2x if it wasn't for the lack of wireless support that the customer requires.. |
|
gb5102 join:2003-10-07 Saint Paul, MN |
gb5102
Member
2013-Oct-20 4:50 pm
you have to first setup zywall to pull an ip via dhcp so its MAC address will be 'registered' with the NVG. Then on DMZ+ setting you can select the Zywall from list of computers |
|
gb5102 |
gb5102
Member
2013-Oct-20 4:51 pm
then after you set it to DMZ+ you will likely need to refresh the DHCP lease on the WAN of Zywall so it will get the public address. |
|
|
to gb5102
hmm in the LAN portion of the 2x i canot specify DHCP only an IP, i can in the WAN portion but i'm not bridging the routrs so no use..I thought i had to put 0.0.0.0 in the LAN IP section but that was a bad move as i no longer can access the 2x Are you sure you mean the LAN IP needs to be set to DHCP and not the WAN? |
|
gb5102 join:2003-10-07 Saint Paul, MN |
gb5102
Member
2013-Oct-20 8:30 pm
Were you able to get back into the zywall?
i meant WAN IP, but I think i see what you're trying to do now and I don't think it can work without IPSEC passthru on your 2701HG.
I think you can still make this work by connecting the zywall's WAN interface to the switch, set it up as dhcp client, then enable DMZ+ in the router(to get public ip assigned and hopefully pass-thru the IPSEC ESP protocol). Then connect another cable from the switch to a LAN interface(192.168.2.2) on zywall.
Kind of a strange setup...basically you will have 2 routers sharing the same WAN IP and in the same LAN subnet. The Zywall will be routing the remote access connections coming from the WAN, onto the LAN. |
|
|
Unfortunately i could not get back into the 2x I will have to ask the customer to reset and reconfigure afterwards.. One thing i don't understand is why a second cable from the switch to the 2x's LAN port? I'm thinking maybe swapping the 2x with my 2wg, bridge the 2wire and use it solely as a modem, may be a better solution |
|