dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2045
SnoopyNoob
join:2015-01-30

SnoopyNoob

Member

IPSEC Draytek to Zywall - connection dropping a LOT!

Hi

I've recently had to setup a site to site connection between a Draytek and a Zyxel 310. but it keeps dropping every 2-3mins. I have a number of other IPSEC connections which are rock solid but this new one keeps dropping. I've tried changing a few things and the SA Life on phase1 and 2 but no joy. Can any one offer any suggestions please because I'm stumped!

(some details below)

Zywall
Phase 1
IKEv1
LifeTime = 86400
Neg - Main
AES128 SHA1

Phase 2
LifeTime = 3600 (was 86400 made no difference)
ESP
Tunnel
AES192 SHA1
PFS - none

Draytek
Phase 1
Ikev1
LifeTime = 86400
Neg - Main
AES128_SHA1_G1

Phase 2
LifeTime = 3600
IPSEC security - High(ESP) AES with auth
AES192_SHA1

RIP - Disable
broccoli
join:2007-11-29
Portland, OR

broccoli

Member

Which DrayTek model are you using? At any rate, all DrayTek routers have a 'ping IP address to keep alive' option for IPsec tunnels, which you should try if you haven't already.
SnoopyNoob
join:2015-01-30

SnoopyNoob

Member

thanks for the reply - its a Draytek Vigor 2830n v2. the keep alive is on but hasnt appeared to make any difference.

any suggestions much welcomed!

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

No idea. I used to have USG200 to Draytek2130vgn IPSec site-to-site VPN stable for several years with pretty much the same settings as you have. Since then I've replaced USG with ERL and the VPNs are also stable.

Is it a problem with VPN? Or perhaps the connection itself? On USG side I had "Ignore don't fragment" checked in VPN settings.
broccoli
join:2007-11-29
Portland, OR

broccoli to SnoopyNoob

Member

to SnoopyNoob
Yesterday I talked to the DrayTek support lead about your situation, who suggested an unstable network connection could be the cause. Try contacting them at support@draytek.com. Their customer support department is quite courteous and responsive.
SnoopyNoob
join:2015-01-30

SnoopyNoob

Member

odd I didn't get a email notification of your posts...anyway, I spent hours on it yesterday trying a variety of setups, spoke with ISP and ran connection tests on the Wan.

Wan connection is solid both ends
ISp is the same as other sites but I doubled checked with them that nothing was being blocked or vpn causing blocks etc. all clear

In the end I was able to get a solid, stable tunnel only by switching to AH from ESP. Obviously this is far from perfect with an unencrypted tunnel but I could not get it to last over 1min28-30secs without doing this.

Still stumped by this one...
JPedroT
Premium Member
join:2005-02-18

JPedroT to SnoopyNoob

Premium Member

to SnoopyNoob
Does the logs on the device give any indications?

Are the devices behind NAT ie there is some NAT going on between the ZyWALL and the Draytek.
SnoopyNoob
join:2015-01-30

SnoopyNoob

Member

@brocoli thanks for asking the support, I'll mail them tonight

The logs didn't show much (I'll post them) but the only thing I thought was odd, the Zyxel sends a R_U_THERE to the Draytek and it doesn't get a ACK back - which is what all my other tunnels do to Zyxel routers. The Draytek also shows Rx bytes but no Tx bytes when ESP but when I siwtch to AH it does. I tried with and without firwall, different phase1&2 auth, checked policy routes etc but no joy. But just buy changing to AH from ESP it works but I'd rather have the tunnel encrypted.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Have you checked "Ignore don't fragment" on USG side? If not, make sure it's checked.
SnoopyNoob
join:2015-01-30

SnoopyNoob

Member

Yea it's checked on both sides
gb5102
join:2003-10-07
Saint Paul, MN

gb5102

Member

Have you tried disabling Dead Peer Detection in the ZyWALL's VPN Gateway config? The 'R_U_THERE' messages are used by DPD, if the ZyWALL is not getting an ack from the other router then DPD is probably kicking in and killing the connection.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Also, if you have "nailed-up/always-on" enabled make sure it's enabled only on one side of the tunnel and not on both.
SnoopyNoob
join:2015-01-30

SnoopyNoob

Member

You have nailed it!

DPD was the problem!

Odd that isn't an issue on the other tunnels - but it's working an encrypted and that's the main thing.

Thanks again!