dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
13830
robr
join:2005-04-16
02101

robr

Member

zywall 35 vpn configuration

Love the new Zywall, thanks for the recommandation. I have it doing just about everything I need except VPN. The user manual that came with it really only discusses configuring the router to connect to another Zywall via VPN, not configuring it for client connections. Can someone point me to any info on how to configure it for that? I assume I'll also need the Zywall VPN software, hopefully Zyxel makes it easier to get to than Cisco does . Thanks!
JimPletcher
Premium Member
join:2004-04-05
Enola, PA

JimPletcher

Premium Member

Check out the support notes at: »us.zyxel.com/support/pro ··· zywall35
robr
join:2005-04-16
02101

robr

Member

thanks. have a pointer to the VPN software? i cant find it in the software download library and the only CDs that came with this thing are the Vantage Report CD and the ZyWall 35 documentation CD.

I think I have the VPN and RADIUS stuff configured and want to give this a try.

janderso1
Jim
MVM
join:2000-04-15
Saint Petersburg, FL

janderso1

MVM

The Zyxel VPN client isn’t free (street price about $50 quantity one).
robr
join:2005-04-16
02101

robr

Member

you have to be kidding me. i thought cisco was bad....sigh, ok time to look at the alternatives.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

1 edit

Anav to robr

Premium Member

to robr
Why not get the ZyWALL P1 instead. Its a portable VPN router!
You know the ole saying, TWIXClients are for Kids!
robr
join:2005-04-16
02101

robr

Member

one more thing for people to carry around in their laptop bags and potentially break and lose and an added expense?
i'll try the free client route first... next stop, MS IPsec.

janderso1
Jim
MVM
join:2000-04-15
Saint Petersburg, FL

janderso1

MVM

Here is a free client but it is a very old version and may have problems with XP.
»ftp.up.ac.za/pub/linux/s ··· entinel/
I am currently using the Netgear Client (about $40)
»www.amazon.com/exec/obid ··· -7491035
but they don’t supply free updates. How many licenses doe you need.

It is difficult to get the MS cleint to work if the host doesn’t have a static IP address.
robr
join:2005-04-16
02101

robr

Member

probably 5 clients. the vpn host does have a static ip, only the clients have dynamic ip.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to robr

Premium Member

to robr
Netgear sells it cheap by the five pack, not sure which version it is though.
DavidJWood
Premium Member
join:2001-10-12
UK

DavidJWood to robr

Premium Member

to robr
Setup informatIon for the ZyXEL client (or any of the rebrands of Safenet SoftRemote LT) can be found at »ZyWALL 3.64 firmware / ZyWALL VPN client setup

Despite the thread title, the information is just as valid for 4.00 as 3.64 (the significance of 3.64 is that the ZyWALLs got new VPN code from 3.64 onwards).

There's not much hope of getting the MS IPsec stuff working in a dynamic IP scenario, though it may be possible with static IP.

The ZyXEL branded client is pretty cheap in the UK - one of the few things that is! The Netgear branded version may be cheaper, but apparently it can be hard to get updates. You need at least 10.3 5 Build 6 for Windows XP SP2 support.

David
maxusa
Premium Member
join:2004-05-05
USA

maxusa to Anav

Premium Member

to Anav
Netgear ProSafe VPN Client = rebranded SafeNet SoftRemoteLT 10.3.5 (Build 6). The 5-license CD is around $136.43 shipped from Provantage, which is $27.29 per client. The software installs without any keys or registration, so I don't know how they control that number.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Can you confirm that build, release Max? Ie was it a recent purchase. I had asked the question earlier in another thread and the only response was a much older variant!
robr
join:2005-04-16
02101

robr to maxusa

Member

to maxusa
Is the Netgear/Safenet client 'always on' or is it like the Cisco client where I run the application when I want to connect. I've played with clients in the past that filter all traffic all the time even when you're on the local LAN and have run into issues with those (it appears Zyxel's client is one such).
maxusa
Premium Member
join:2004-05-05
USA

maxusa to Anav

Premium Member

to Anav
The purchase was made around 6~8 months ago. Version 10.3.5 (build 6) is WinXP SP2 compliant.

Most users know that ZyXEL changed the VPN client provider from SSH to SafeNet. Therefore, the newer ZyXEL VPN clients, like Netgear, are rebranded SafeNet SoftRemoteLT, a great choice.

By default, SoftRemoteLT automatically establishes and terminates connections when needed. The connection remains up until one of these conditions occurs:
  1. The remote gateway, network, Internet, or ISP dropped the tunnel.
  2. The user turned off/logged off the computer.
  3. The user imported or reloaded the security policy.
  4. The user terminated the tunnel manually.
However, if the "only connect manually" checkbox is selected for a given policy, the client does not automatically dial or drop tunnels. The user must manually connect/disconnect such tunnels. For the client to load with the operating system, you may want to manually add the client shortcut (C:\Program Files\SafeNet SoftRemoteLT\SafeCfg.exe) to the Startup folder. You will see the "S" icon in the System Tray. It will load automatically, and will behave according to the "only connect manually" checkbox in each configured policy.

Hope this helps.
robr
join:2005-04-16
02101

robr

Member

ok, i think i'm close to having this working (i shut off radius to try and minimize the complexity). i'm using SafeNet SoftRemoteLT

The client log shows:
12-08: 21:16:13.906
12-08: 21:16:13.921 My Connections\bleh - Attempting to resolve Hostname (vpn.bleh.com)
12-08: 21:16:13.937 My Connections\bleh - Initiating IKE Phase 1 (Hostname=vpn.bleh.com) (IP ADDR=1.2.3.4)
12-08: 21:16:13.937 My Connections\bleh - Generic entry match with remote address 0.0.0.0.
12-08: 21:16:13.937 My Connections\bleh - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
12-08: 21:16:14.078 My Connections\bleh - RECEIVED>>> ISAKMP OAK MM (KE, NON, VID 3x)
12-08: 21:16:14.343 My Connections\bleh - RECEIVED>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
12-08: 21:16:14.406 My Connections\bleh - RECEIVED ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
12-08: 21:16:14.406 My Connections\bleh - Established IKE SA
12-08: 21:16:14.406 MY COOKIE 1a 2b 3c 4d 5e 6f 7a 8b
12-08: 21:16:14.406 HIS COOKIE 11 22 33 44 55 66 77 88

At this point the connection is still trying to connect and eventually times out and says to check the log. There is nothing written to the log after the above. The last entry in the ZyWall log is similar:
1 2005-12-08 21:16:12 Phase 1 IKE SA process done 1.2.3.4 5.6.7.8 IKE

Any ideas on what to look at next to troubleshoot? Thanks, I'll be continuing to work on this.
robr

robr

Member

just an update, made it past the above problem, working on the 2nd phase key exchange now. Phase 2 currently looks like this :

12-08: 21:53:52.890 My Connections\bleh - Initiating IKE Phase 2 with Client IDs (message id: BACF9D32)
12-08: 21:53:52.890 Initiator = IP ADDR=192.168.1.103, prot = 0 port = 0
12-08: 21:53:52.890 Responder = IP ADDR=0.0.0.0, prot = 0 port = 0
12-08: 21:53:52.890 My Connections\bleh - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
12-08: 21:53:52.937 My Connections\bleh - RECEIVED ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO)
12-08: 21:53:52.937 My Connections\bleh - Discarding SA negotiation
12-08: 21:53:52.937 My Connections\bleh - Deleting IKE SA (IP ADDR=71.243.117.216)
12-08: 21:53:52.937 MY COOKIE xx xx xx xxx xx xx
12-08: 21:53:52.937 HIS COOKIE yy yy yy yy yy yy
12-08: 21:53:52.953 My Connections\bleh - RECEIVED ISAKMP OAK INFO *(HASH, DEL)
12-08: 21:53:52.953 My Connections\bleh - Received message for non-active IKE SA
12-08: 21:53:52.968 My Connections\bleh - RECEIVED ISAKMP OAK INFO *(HASH, DEL)
12-08: 21:53:52.968 My Connections\bleh - Received message for non-active IKE SA
robr

robr

Member

i think this thread will help solve my problem:

»ZyWALL 3.64 firmware / ZyWALL VPN client setup
DavidJWood
Premium Member
join:2001-10-12
UK

DavidJWood

Premium Member

»ZyWALL 3.64 firmware / ZyWALL VPN client setup should help - that's the reason I wrote the thread and pointed it to you earlier! Though the title says 3.64, it applies equally to 4.00 - the point is that ZyXEL made significant changes to the VPN functionality in 3.64.

If you have Phase 1 completing, the chances are that the certificates and/or PSK setup is correct.

The log shows you're going wrong with the IDs; with dynamic IP addresses, you can't use IP IDs. If you're using certificates, use distinguished names (called subject names at the ZyWALL end) as per that thread. If you're using PSK, read the second paragraph of I don't want the hassle of certificates - how do I use pre-shared keys? for some suggestions.

Certificates and subject/distinguished name IDs really are the best solution, though it's not quite as easy to set up in the first place as PSK.

The next hurdle may be the IP addressing - that was where I got stuck for some time. The instructions are in that thread under Configuring the client - make sure you read the bit about enabling internal network addresses in the client, and choose an otherwise unused address.

David
robr
join:2005-04-16
02101

robr

Member

i had to take a break last night but will get back to this tonight. have you done this while setting up RADIUS as well per chance?
DavidJWood
Premium Member
join:2001-10-12
UK

DavidJWood

Premium Member

The only thing you can use RADIUS for with the VPN functionality is Extended Authentication (XAUTH). I've used XAUTH with the built-in authentication server, but not with an external RADIUS server, even though I have one. I'm not quite sure what the ZyWALL would be expecting of the RADIUS server when used for XAUTH - I don't necessarily think it would be using EAP.

If you want to harden the VPN, put the effort into setting up a certificate based infrastructure before worrying about XAUTH. The ideal would be if you set up a CA with a CRL (which is a refinement I didn't document) so that you could revoke individual certificates as necessary.

I do use RADIUS with my Z35, but that's for WPA Enterprise (using EAP-TLS). I keep meaning to write an up to date set of instructions for configuring FreeRADIUS for wireless network authentication - the instructions that jbibe See Profile has posted in the past are based on an obsolete version of FreeRADIUS.

David
robr
join:2005-04-16
02101

robr

Member

hmm... I was hoping to just integrate the VPN with Active Directory. I'll give it a shot anyway, I'm not doing anything that needs mega security, I just wanteed an easy way to revoke VPN access easily (and I don't find certificates easy at all, especially in a Windows environment).
DavidJWood
Premium Member
join:2001-10-12
UK

DavidJWood

Premium Member

Well, there's nothing wrong with experimenting. I have no experience whatsoever with Active Directory; my server experience is all UNIX rather than Windows Server.

Get things working without XAUTH first, then you can see what happens when you enable XAUTH.

Certificates really would be a good idea - Safenet, authors of the ZyWALL client, only recommend PSKs for testing and debugging.

If you can write up some instructions as to how to generate the necessary infrastructure in Windows Server, by all means add it to the original thread if you can, or post it in a new one. So long as you can generate a CA, sign the ZyWALL's CSR with that CA (which you may be able to do via SCEP on Windows Server), then generate one or more client certificates, you're away. If you can handle a CRL using your Windows Server, all the better.

David
robr
join:2005-04-16
02101

3 edits

robr

Member

i'm back at this and still stuck. im using netgears 10.3.5 build 6 and looking at the screen shots, on the My Identity screen, they show a box labelled Internal Network IP Address beneath the Virtual Adapter Disabled selection. I don't have this box and I think I read that if I didn't put an unused IP address in this box that something like this might result.

EDIT: nevermind - i just figured out you have to turn on that option in Global Policy Settings. Didnt help.

When I get to Phase2 I'm getting an INVALID_ID_INFO error still. Note that for now I'm using PSK.

12-09: 15:12:52.171 My Connections\bleh VPN - Initiating IKE Phase 2 with Client IDs (message id: 15373266)
12-09: 15:12:52.171 My Connections\bleh VPN - Initiator = IP ADDR=192.168.1.103, prot = 0 port = 0
12-09: 15:12:52.171 My Connections\bleh VPN - Responder = IP SUBNET/MASK=192.168.128.0/255.255.255.0, prot = 0 port = 0
12-09: 15:12:52.171 My Connections\bleh VPN - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
12-09: 15:12:52.218 My Connections\bleh VPN - RECEIVED ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO)
12-09: 15:12:52.218 My Connections\bleh VPN - Discarding SA negotiation
12-09: 15:12:52.218 My Connections\bleh VPN - Deleting IKE SA (IP ADDR=71.243.117.216)
12-09: 15:12:52.218 MY COOKIE a0 d3 2c ab d3 9a 74 d4
12-09: 15:12:52.218 HIS COOKIE 9f e8 a2 26 9 58 dc 62
12-09: 15:12:52.218 My Connections\bleh VPN - RECEIVED ISAKMP OAK INFO *(HASH, DEL)
12-09: 15:12:52.234 My Connections\bleh VPN - RECEIVED ISAKMP OAK INFO *(HASH, DEL)
maxusa
Premium Member
join:2004-05-05
USA

maxusa to robr

Premium Member

to robr
To integrate VPN with the Active Directory, your will need to forget about the ZyWALL. Neither of the 2 native Microsoft VPN types are supported by ZyXEL except the pass-trough.

If you are talking about integrating Certificates with the Active Directory, you can do this just like with any other certification authority. Be prepared to manage the increased complexity and inter-dependencies of such a system.

ZyWALL VPN + Certificates + Microsoft AD + RADIUS seems like an unnecessarily complicated setup. It's hard to tell what your goals are in this exercise. Having said that, if your organization is a Microsoft shop, have you considered a straight Microsoft VPN solution?
robr
join:2005-04-16
02101

robr

Member

actually i wanted to use MS AD/Radius to keep this simple. Certificates make things complex in my mind, not AD. The only MS piece I'm interested in is just using RADIUS to authenticate username/PW against their AD info. However that's not really all that important to me, so forget about that for right now.

Here's where I am at this point. I have the VPN working if set up the ZyWall connection as static, pointing back to my dyndns.org FQDN. As soon as I try to configure it as dynamic, I get the error I specified above. I've tried specifying the client IP I want in the VPN client, I've tried to not specify it in the client, I've tried to just assign it via the ZyWall... no matter what I do, I get the INVALID_ID_INFO error during phase 2. This is just getting frustrating.
maxusa
Premium Member
join:2004-05-05
USA

maxusa

Premium Member

Ok, here is what I managed to decypher from your logs:

ZyWALL Gateway Requirements
Dynamic IP on WAN1 with DDNS account BLEH.DYNDNS.ORG set. You want to have a single VPN rule for many remote clients. You want to use PSK (for now).

Remote Clients Requirements
Dynamic IP remote clients. You want many SoftRemoteLT-equipped clients connect to your ZyWALL.

Solution
On the ZyWALL, set a WAN-to-WAN/ZyWALL firewall rule to permit any source address IKE(UDP:500). Then create a VPN gateway policy with the following settings:
  • Name = dynamic_gateway_psk

  • My ZyWALL > My Address = 0.0.0.0

  • Pre-Shared Key = 123456789

  • Negotiation Mode = Main

  • Encryption Algorithm = DES

  • Authentication Algorithm = MD5

  • SA Life Time = 28800

  • Key Group = DH1

Then create a network policy like this:
  • Active = check

  • Name = dynamic_gateway_psk

  • Protocol = 0

  • Local Network > Address Type = Subnet Address

  • Local Network > Starting IP = 192.168.1.0

  • Local Network > Subnet Mask = 255.255.255.0

  • Local Port > Start/End = 0/0

  • Remote Network > Address Type = Single Address

  • Remote Network > Starting IP = 0.0.0.0

  • Remote Port > Start/End = 0/0

  • Encapsulation = Tunnel

  • Active Protocol = ESP

  • Encryption Algorithm = DES

  • Authentication Algorithm = SHA1

  • SA Life Time = 28800

On the remote clients, set the SoftRemoteLT security policy as follows:
  • Connection Security = Secure

  • Only Connect Manually = check

  • Remote Party Identity > ID Type = IP Subnet

  • Remote Party Identity > Subnet = 192.168.1.0

  • Remote Party Identity > Mask = 255.255.255.0

  • Remote Party Identity > Protocol = All

  • Remote Party Identity > Connect Using = Secure Gateway Tunnel

  • Remote Party Identity > ID Type > Any = Any ID

  • Remote Party Identity > ID Type > Gateway Hostname = BLEH.DYNDNS.ORG

  • My Identity > Pre-Shared Key = 123456789

  • My Identity > ID Type = IP Address

  • Security Policy > Phase 1 Mode = Main Mode

  • Authentication > Proposal 1 > Auth Method = Pre-Shared Key

  • Authentication > Proposal 1 > Encrypt Alg = DES

  • Authentication > Proposal 1 > Hash Alg = MD5

  • Authentication > Proposal 1 > SA Life = Seconds 28800

  • Authentication > Proposal 1 > Key Group = D-H 1

  • Key Exchange > Proposal 1 > SA Life = Seconds 28800

  • Key Exchange > Proposal 1 > ESP = check

  • Key Exchange > Proposal 1 > Encrypt Alg = DES

  • Key Exchange > Proposal 1 > Hash Alg = SHA-1

  • Key Exchange > Proposal 1 > Encapsulation = Tunnel

Your test network needs the Internet access to resolve DDNS. Otherwise, add an entry to the internal DNS or the HOSTS file. To troubleshoot, use the manual dial and the log viewer. Tighten this basic VPN tunnel in steps. Hope this helps.
robr
join:2005-04-16
02101

1 edit

robr

Member

thanks very much for taking the time to go through all that, the only change is WAN1 is a static IP address, but let me digest what you've posted and see if I can work through this.
robr

robr

Member

maxusa - you are a *GOD*!!!!!!!!!! THANK YOU!!!!!
i didn't change a thing, since if a dynamic WAN is working, then no reason it wouldnt work if it had a static IP either, and actually since i have two WAN connections, the IP could vary if I want to use both WAN connections for VPN.

THANK YOU THANK YOU THANK YOU!!!!!!! I owe you beer if you're ever in the Boston area.
robr

robr

Member

hmm... im not quite there yet, i connect fine now but i cant ping anything on the internal network that i've just connected to. might be a router setting somewhere (i have firewall turned off btw, so it shouldn't be a firewall rule causing this).