dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1200
share rss forum feed


Crazyboyz

join:2004-03-04
Laval, QC

ZyWall 2x VPN Client?

Hey Guys been a while i've been on DSL reports..

Initially i started off with a ZyWall 2x at both my office and home after i got recommendation by Anav many years ago, I moved up to the 2wg for my office and NBG5715, although i had great results with the 2wg, the NBG5715 has been nothing short of a fiasco..VPN was not working properly and it's thanks to me pushing on many occasions and complainging that the new firmware came out..

Anyhow, now onto my question, I have a ZyWall 2x lying around and a customer of mine asked for a low cost VPN solution, knowing the unit still works flawlessly I was wondering where I can get the VPN client that works in conjunction with the router.

Thx


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
You can try the Draytek VPN client »VPN client from DrayTek

But really, Z2X is way too old, it will limit any modern connection speeds, consider upgrading.


Crazyboyz

join:2004-03-04
Laval, QC
Customer is cheap and will have only 1 person from Florida connecting to the server in order to access this program called "fishbowl"..

I was planning on bridging the 2x to their actual router, disabling DHCP and using it for its VPN functionality..What do you think? Will i run into issues?

Also, i read up some posts and was told to install the following client;

»www.shrew.net/support/wiki/HowtoZywall

Last but not least, i'm also considering upgrading my own ZyWall 2wg for the U20w and offer the 2wg to my customer as a better solution, how much do you think a fair price would be for the 2wg? And considering i'm using it @ my home office, is it worth doing the upgrade?

Thanks for your time Brano, you'we always helped out through all the years i've used Zyxel.

Samy


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
2x will work as VPN endpoint with proper client connecting to it. Shrew should work.

As for price, I hate to say it, but personally I would not pay more than $20 for 2x or 2wg. Any new $40 router with WRT derivative will beat it today.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
2x = recycle at your local depot for electronics


Crazyboyz

join:2004-03-04
Laval, QC
reply to Crazyboyz
Would you consider the u20w a good replacement for the 2wg and should i upgrade or should i consider something in cisco or sonicwall?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
I would probably only consider wired routers and use a separate device for WIFI. For example home I have a Linksys, a trendnet and an ASUS wifi router as Access points serving three floors. In this way I can place the wifi radio where it best suits the house vice next to the router. As well its much easier to change out an ancillary wifi device as the technology tends to change faster.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit
reply to Crazyboyz
Also there are new models coming out, really depends on your needs. And the UTM portion of USG is seriously under-powered. That said, USG20 is still pretty good deal for the money. ...all depends what you need it for and what's the budget.

But I agree with Alex, separate AP is the way to go.


Crazyboyz

join:2004-03-04
Laval, QC
reply to Crazyboyz
Guys, for learning purposes i tried setting up shrew with the 2x, yet am not sure of a couple of things..

I'm not sure what needs to be entered for Peer ID Type & Content, any suggestions?

Thanks again for all your time and suggestions


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
It can be anything, but it has to be same on both ends. Local ID = Remote ID. The content can be made up or real, it does not matter, just a string that has to match.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
I use a fake email address in my VPN setup:

AnavIsBranos@hero.com


Crazyboyz

join:2004-03-04
Laval, QC
reply to Crazyboyz
Thanks guys but i still can't get the vpn up and running,do i need to open any ports on the main router?

Here are some screenshots, unfortunately i'm still a beginner with this type of setup and your input is really appreciated


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Crazyboyz
Trying to find you old examples of setups..........

»ZyWall to ZyWall VPN tunnel setup example

Another perhaps related issue
»Zywall 2 Plus VPN setup problem... connected but not pinging
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Crazyboyz
Other stuff that may help.......
»ftp://ftp.zyxel.com/ZyWALL_2_Plus/supp···4.03.pdf

»ec1.images-amazon.com/media/i3d/···4529.pdf

There used to be support notes and these usually had examples, just cant find it now for the 2x.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
reply to Crazyboyz
If this is behind other router then you need to forward ports UDP:500, UDP:4500 and allow VPN pass-through.


Crazyboyz

join:2004-03-04
Laval, QC

2 edits
reply to Crazyboyz
Thanks Anav for all the links, i think my knowledge of VPNs is not advanced enough to troubleshoot the problem..

I used the steps provided by Shrew to setup everything but i can't get it to connect, i'm actually thinking of maybe going with the Zyxel VPN client, should be easier to configure right? At least i can get support on it from Zyxel..

Brano, i opened UDP ports 500 & 4500 on the 2wire router / modem but could not find
any IPsec passtrough option, i googled but couldn't find anything on it as well..

Overall i'm wondering if there's a way to debug the vpn settings inorder to find the problem, too many variables makes it almost inpossible for me to find the issue Looks like some sort of negotiation is being done but not completing..

10/19/2013 01:27:13 Rule [1] IKE packet retransmit count reached IPSEC

3
10/19/2013 01:26:41 !! IKE Packet Retransmit 192.168.2.2 174.92.159.141 IKE

4
10/19/2013 01:26:25 !! IKE Packet Retransmit 192.168.2.2 174.92.159.141 IKE

5
10/19/2013 01:26:17 !! IKE Packet Retransmit 192.168.2.2 174.92.159.141 IKE

6
10/19/2013 01:26:13 Send:[SA][KE][NONCE][ID][HASH][VID] 192.168.2.2 174.92.159.141 IKE

7
10/19/2013 01:26:11 Recv:[SA][KE][NONCE][ID][VID][VID][ 174.92.159.141 192.168.2.2 IKE

8
10/19/2013 01:26:11 Recv Aggressive Mode request from [174.92.159.141] 174.92.159.141 192.168.2.2 IKE

9
10/19/2013 01:26:11 Rule [1] Receiving IKE request 174.92.159.141 192.168.2.2 IKE

10
10/19/2013 01:25:12 Rule [1] IKE packet retransmit count reached IPSEC


Crazyboyz

join:2004-03-04
Laval, QC
reply to Brano
I'm forwarding the UDP ports to the zywall's IP and the the server behind it right?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
OK, I'm really confused about your setup. Let's back up a bit please. Post a diagram of your network ... modem, main gateway router, zywall, server, lan. ...let's get a clear understanding how things are and what's the desired end status.


Crazyboyz

join:2004-03-04
Laval, QC
reply to Crazyboyz
Click for full size

gb5102

join:2003-10-07
Saint Paul, MN
kudos:2
I'm thinking it is due to 2701HG not supporting IPSEC passthru (protocol 50- ESP) but I cant really seem to find a definitive answer if its supported or not

can you enable DMZ+ mode on the 2701HG? If i remember correctly when you do this it will actually pass-thru the public IP(via DHCP) to your zywall with no filtering or firewall/nat, while still allowing your other NAT'ed clients on the LAN to work normally.


Crazyboyz

join:2004-03-04
Laval, QC
LOL I came to the same conclusion, after doing some research I could not find a definitive answer myself..I will DMZ as you mentioned and i will post back


Crazyboyz

join:2004-03-04
Laval, QC
reply to Crazyboyz
 
 
 
Click for full size
 
 
 
Here is Shrew configuration file snapshots

gb5102

join:2003-10-07
Saint Paul, MN
kudos:2
reply to Crazyboyz
I can't stand those integrated modem/router thingies...especially the uverse ones since you can't even properly bridge them...Just hope you never have the pleasure of being stuck with their 'business class' NVG510...

gb5102

join:2003-10-07
Saint Paul, MN
kudos:2
reply to Crazyboyz
so guessing its still not working?


Crazyboyz

join:2004-03-04
Laval, QC
I'm getting The selected device has a static IP address. DMZplus requires that the selected device use DHCP to obtain its IP address. I don't think there's a way to setup the LAN IP to DHCP on the 2x, i would bridge the 2x if it wasn't for the lack of wireless support that the customer requires..

gb5102

join:2003-10-07
Saint Paul, MN
kudos:2
you have to first setup zywall to pull an ip via dhcp so its MAC address will be 'registered' with the NVG. Then on DMZ+ setting you can select the Zywall from list of computers

gb5102

join:2003-10-07
Saint Paul, MN
kudos:2
then after you set it to DMZ+ you will likely need to refresh the DHCP lease on the WAN of Zywall so it will get the public address.


Crazyboyz

join:2004-03-04
Laval, QC
reply to gb5102
hmm in the LAN portion of the 2x i canot specify DHCP only an IP, i can in the WAN portion but i'm not bridging the routrs so no use..I thought i had to put 0.0.0.0 in the LAN IP section but that was a bad move as i no longer can access the 2x

Are you sure you mean the LAN IP needs to be set to DHCP and not the WAN?

gb5102

join:2003-10-07
Saint Paul, MN
kudos:2
Were you able to get back into the zywall?

i meant WAN IP, but I think i see what you're trying to do now and I don't think it can work without IPSEC passthru on your 2701HG.

I think you can still make this work by connecting the zywall's WAN interface to the switch, set it up as dhcp client, then enable DMZ+ in the router(to get public ip assigned and hopefully pass-thru the IPSEC ESP protocol). Then connect another cable from the switch to a LAN interface(192.168.2.2) on zywall.

Kind of a strange setup...basically you will have 2 routers sharing the same WAN IP and in the same LAN subnet. The Zywall will be routing the remote access connections coming from the WAN, onto the LAN.


Crazyboyz

join:2004-03-04
Laval, QC
Unfortunately i could not get back into the 2x I will have to ask the customer to reset and reconfigure afterwards..

One thing i don't understand is why a second cable from the switch to the 2x's LAN port?

I'm thinking maybe swapping the 2x with my 2wg, bridge the 2wire and use it solely as a modem, may be a better solution