dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1073
share rss forum feed

Zyxu

join:2012-09-24

1 edit

Site-to-Site IPSec VPN between USG 20 & 50, behind ISP modem/routers

Hi,

I have to connect a Site-to-Site IPSec VPN between an USG20 and an USG50, which are both behind ISP modem/routers. I can't put the ISP modem/routers in bridge to keep the home phones working...
I set the DMZ IP in the modem/router as the USG WAN1 IP, this way all inbound traffic is forwarded to WAN1 USG. NAT behind NAT works for RDP for example, when I use the WAN1 IP as original IP and client computer IP as mapped IP. I have to create policy route for each NAT rule to make it working. So the NAT is working well in both USG now, the problem is that the public IPs are not owned by the USGs but by the ISP modems...
In the IPSec VPN GW, if I set the public IP in "My Address" it don't works. I suspect that this is the reason of the problem because all is set as usual but the connection fails. There is no error in the log, only that : IKE ISAKMP SA [VPN_GW] is disconnected 1.2.3.4:500 9.8.7.6:500
IKE_LOG 259 2014-02-23 15:22:38 info IKE The cookie pair is : 0xc8f***********7 / 0x0000000000000000.

Do I have to create policy routes for IKE, ESP or what ever from ZYWALL or Tunnel to élocal public IP to force the IPSec trafic ?

If you have any idea to make it works.

Thank you in advance for your help, best regards,

PS : Excuse my bad English...


fluffybunny

@cipherkey.net
IPSec is not designed to work through double NAT. However you can get it to work after a bit of effort. search on smallnetbuilder for How To: Getting VPN to work through NAT firewalls and follow the instructions there.


superataru

join:2004-12-07
Kearny, NJ
reply to Zyxu
USG's local WAN address, in VPN policies, must be the real wan-iface IP address. If it's 10.0.0.1 ... just set it. Remote will be that remote router.
Maybe, also NAT-T feature could be needed to work.
UDP 500 and 4500 should be forwarded to USGs' wan ifaces.

Gtrz

Zyxu

join:2012-09-24
First I would like apologize for the delay...

Thanks Dude ! I can now see activity between routers !

I changed router1 to take public IP (With ISP router as modem only now) 1.2.3.4 and let the other side (router2) behind NAT of the ISP modem/router (which froward all ports to the router2 WAN1 IP) as is (10.0.0.2).

VPN GW:

I set VPN GW both sides with the Interface choice (wan1) under "My Address". In authentication, I let the public IP both sides (I will try to change it for the router2 WAN1 real IP : 10.0.0.2).

In the Phase 1 Settings, I set SA Life Time : 86400, Negotiation Mode : Main, Proposal Encryrption AES128 and Auth SHA1 and finally Key Group DH1. I checked Nat traversal both sides.

I receive na error Mesage from time to time when I click OK to validate VPN GW settings :
CLI Number: 1
Error Number: -1 Error
Message: 'Parse error/command not found!'

VPN Connection:

Nailed-Up checked, MSS Adjustement in Auto, Remote and Local Policies as usual, Policy Enforcement not checked.

Phase 2 Settings: SA Life Time: 86400, Active Protocol: ESP, Encapsulation: Tunnel, Proposal Encryption AES128 and Auth SHA1
Perfect Forward Secrecy (PFS): DH1.
All below check boxes not checked.

When I lainch the VPN connection from router1 I receive these errors in the log :

info IKE Send:[NOTIFY:NO_PROPOSAL_CHOSEN] 10.0.0.2:500 1.2.3.4:500 IKE_LOG

info IKE [SA] : No proposal chosen 10.0.0.2:500 1.2.3.4:500 IKE_LOG

info IKE The cookie pair is : 0xnd3849rfh9483f9 / x0000000000000000 1.2.3.4:500 10.0.0.2:500

Recv Main Mode request from [1.2.3.4]

The cookie pair is : 0x345ab26d2f00860d / 0xsdnx3278rz348h

Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]

Any idea ?

Thank you in adfvance for your help !

Zyxu

join:2012-09-24
All is working fine now ! Thank you very much !

I set the encryption to first 256, then 192 and finally 128 bits, where can I find the accepted and current encryption. I didn't see it in the log.

Thanks again.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Monitor -> VPN Monitor -> IPSec


Zyxuu

@as5577.net
Thank you Brano !

Zyxu

join:2012-09-24
reply to Zyxu
Hello, It's me again

So I would like understand why to allow trafic between router1 to Router2 LAN SUBNETS I had to create a rule that allows any to Zywall (IPV4 source: Router1 LAN, IPV4 destination: Router2 LAN SUBNET) and vice versa ?
How to precise these rules ? I tried to replace any by IPSec VPN, WAN or Tunnel with no luck...

Thank you in advance for your help !