Site-to-Site IPSec VPN between USG 20 & 50, behind ISP modem/routers
I have to connect a Site-to-Site IPSec VPN between an USG20 and an USG50, which are both behind ISP modem/routers. I can't put the ISP modem/routers in bridge to keep the home phones working...
I set the DMZ IP in the modem/router as the USG WAN1 IP, this way all inbound traffic is forwarded to WAN1 USG. NAT behind NAT works for RDP for example, when I use the WAN1 IP as original IP and client computer IP as mapped IP. I have to create policy route for each NAT rule to make it working. So the NAT is working well in both USG now, the problem is that the public IPs are not owned by the USGs but by the ISP modems...
In the IPSec VPN GW, if I set the public IP in "My Address" it don't works. I suspect that this is the reason of the problem because all is set as usual but the connection fails. There is no error in the log, only that : IKE ISAKMP SA [VPN_GW] is disconnected 126.96.36.199:500 188.8.131.52:500
IKE_LOG 259 2014-02-23 15:22:38 info IKE The cookie pair is : 0xc8f***********7 / 0x0000000000000000.
Do I have to create policy routes for IKE, ESP or what ever from ZYWALL or Tunnel to élocal public IP to force the IPSec trafic ?
If you have any idea to make it works.
Thank you in advance for your help, best regards,
PS : Excuse my bad English...
IPSec is not designed to work through double NAT. However you can get it to work after a bit of effort. search on smallnetbuilder for How To: Getting VPN to work through NAT firewalls and follow the instructions there.
|reply to Zyxu |
USG's local WAN address, in VPN policies, must be the real wan-iface IP address. If it's 10.0.0.1 ... just set it. Remote will be that remote router.
Maybe, also NAT-T feature could be needed to work.
UDP 500 and 4500 should be forwarded to USGs' wan ifaces.
First I would like apologize for the delay...
Thanks Dude ! I can now see activity between routers !
I changed router1 to take public IP (With ISP router as modem only now) 184.108.40.206 and let the other side (router2) behind NAT of the ISP modem/router (which froward all ports to the router2 WAN1 IP) as is (10.0.0.2).
I set VPN GW both sides with the Interface choice (wan1) under "My Address". In authentication, I let the public IP both sides (I will try to change it for the router2 WAN1 real IP : 10.0.0.2).
In the Phase 1 Settings, I set SA Life Time : 86400, Negotiation Mode : Main, Proposal Encryrption AES128 and Auth SHA1 and finally Key Group DH1. I checked Nat traversal both sides.
I receive na error Mesage from time to time when I click OK to validate VPN GW settings :
CLI Number: 1
Error Number: -1 Error
Message: 'Parse error/command not found!'
Nailed-Up checked, MSS Adjustement in Auto, Remote and Local Policies as usual, Policy Enforcement not checked.
Phase 2 Settings: SA Life Time: 86400, Active Protocol: ESP, Encapsulation: Tunnel, Proposal Encryption AES128 and Auth SHA1
Perfect Forward Secrecy (PFS): DH1.
All below check boxes not checked.
When I lainch the VPN connection from router1 I receive these errors in the log :
info IKE Send:[NOTIFY:NO_PROPOSAL_CHOSEN] 10.0.0.2:500 220.127.116.11:500 IKE_LOG
info IKE [SA] : No proposal chosen 10.0.0.2:500 18.104.22.168:500 IKE_LOG
info IKE The cookie pair is : 0xnd3849rfh9483f9 / x0000000000000000 22.214.171.124:500 10.0.0.2:500
Recv Main Mode request from [126.96.36.199]
The cookie pair is : 0x345ab26d2f00860d / 0xsdnx3278rz348h
Any idea ?
Thank you in adfvance for your help !
All is working fine now ! Thank you very much !
I set the encryption to first 256, then 192 and finally 128 bits, where can I find the accepted and current encryption. I didn't see it in the log.
BranoI hate VogonsPremium,MVM
Monitor -> VPN Monitor -> IPSec
Thank you Brano !
|reply to Zyxu |
Hello, It's me again
So I would like understand why to allow trafic between router1 to Router2 LAN SUBNETS I had to create a rule that allows any to Zywall (IPV4 source: Router1 LAN, IPV4 destination: Router2 LAN SUBNET) and vice versa ?
How to precise these rules ? I tried to replace any by IPSec VPN, WAN or Tunnel with no luck...
Thank you in advance for your help !