|
IPSEC Draytek to Zywall - connection dropping a LOT!Hi
I've recently had to setup a site to site connection between a Draytek and a Zyxel 310. but it keeps dropping every 2-3mins. I have a number of other IPSEC connections which are rock solid but this new one keeps dropping. I've tried changing a few things and the SA Life on phase1 and 2 but no joy. Can any one offer any suggestions please because I'm stumped!
(some details below)
Zywall Phase 1 IKEv1 LifeTime = 86400 Neg - Main AES128 SHA1
Phase 2 LifeTime = 3600 (was 86400 made no difference) ESP Tunnel AES192 SHA1 PFS - none
Draytek Phase 1 Ikev1 LifeTime = 86400 Neg - Main AES128_SHA1_G1
Phase 2 LifeTime = 3600 IPSEC security - High(ESP) AES with auth AES192_SHA1
RIP - Disable |
|
|
Which DrayTek model are you using? At any rate, all DrayTek routers have a 'ping IP address to keep alive' option for IPsec tunnels, which you should try if you haven't already. |
|
|
thanks for the reply - its a Draytek Vigor 2830n v2. the keep alive is on but hasnt appeared to make any difference.
any suggestions much welcomed! |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2015-Apr-11 7:33 am
No idea. I used to have USG200 to Draytek2130vgn IPSec site-to-site VPN stable for several years with pretty much the same settings as you have. Since then I've replaced USG with ERL and the VPNs are also stable.
Is it a problem with VPN? Or perhaps the connection itself? On USG side I had "Ignore don't fragment" checked in VPN settings. |
|
|
to SnoopyNoob
Yesterday I talked to the DrayTek support lead about your situation, who suggested an unstable network connection could be the cause. Try contacting them at support@draytek.com. Their customer support department is quite courteous and responsive. |
|
|
odd I didn't get a email notification of your posts...anyway, I spent hours on it yesterday trying a variety of setups, spoke with ISP and ran connection tests on the Wan.
Wan connection is solid both ends ISp is the same as other sites but I doubled checked with them that nothing was being blocked or vpn causing blocks etc. all clear
In the end I was able to get a solid, stable tunnel only by switching to AH from ESP. Obviously this is far from perfect with an unencrypted tunnel but I could not get it to last over 1min28-30secs without doing this.
Still stumped by this one... |
|
JPedroT Premium Member join:2005-02-18 |
to SnoopyNoob
Does the logs on the device give any indications?
Are the devices behind NAT ie there is some NAT going on between the ZyWALL and the Draytek. |
|
|
@brocoli thanks for asking the support, I'll mail them tonight
The logs didn't show much (I'll post them) but the only thing I thought was odd, the Zyxel sends a R_U_THERE to the Draytek and it doesn't get a ACK back - which is what all my other tunnels do to Zyxel routers. The Draytek also shows Rx bytes but no Tx bytes when ESP but when I siwtch to AH it does. I tried with and without firwall, different phase1&2 auth, checked policy routes etc but no joy. But just buy changing to AH from ESP it works but I'd rather have the tunnel encrypted. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2015-Apr-12 4:54 pm
Have you checked "Ignore don't fragment" on USG side? If not, make sure it's checked. |
|
|
Yea it's checked on both sides |
|
gb5102 join:2003-10-07 Saint Paul, MN |
gb5102
Member
2015-Apr-12 8:58 pm
Have you tried disabling Dead Peer Detection in the ZyWALL's VPN Gateway config? The 'R_U_THERE' messages are used by DPD, if the ZyWALL is not getting an ack from the other router then DPD is probably kicking in and killing the connection. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2015-Apr-12 9:02 pm
Also, if you have "nailed-up/always-on" enabled make sure it's enabled only on one side of the tunnel and not on both. |
|
|
You have nailed it!
DPD was the problem!
Odd that isn't an issue on the other tunnels - but it's working an encrypted and that's the main thing.
Thanks again! |
|