[Vpn-help] Shrew on Windows, to dynamic ZyWall : my id problem

Lukasz Sokol lukasz.sokol at conwayrentals.co.uk
Fri Dec 4 03:42:51 CST 2009


Hi vpn-help,

My ZyWall 5 gateway shows this in logs when I try to configure a tunnel with Shrew:

11	2009-11-25 15:25:03 	[ID] : Rule [Office-Tunnel-Network-Policy] Verifying Remote ID failed: 
9	2009-11-25 15:25:03 	Recv ID: SINGLE, [10.0.2.1]-[10.0.2.1] 	
7	2009-11-25 15:25:03 	vs. My Remote [0.0.0.0]-[0.0.0.0] 	

Phase 1 is configured aggressive, with email identifiers and XAUTH and PSK. (when I get it working I will
go to certificate-based encryption anyway).
(Btw, why the email-based identifiers for phase1 are only allowed in aggressive mode ? I.e. main mode
requires me to put IP as both remote and local ID on Shrew, whereas the ZyWALL does not).

Unfortunately, My Remote ID needs to remain 0.0.0.0 on the ZyWall, because it won't allow to set it.

The ZyWall won't allow to set it, because its gateway IP is set to 0.0.0.0, effectively making it
'dynamic' as per ZyWall way of naming things.

The ZyWall needs to be dynamic, because it gets a different WAN IP every time it re-connects to our ISP
(I consider this a feature).

(It is a bit more complex than that : we have an incoming DSL connection, with PPPoA, connected to a 
ZyXEL P660RU modem, which actually gets the WAN IP (which is assigned by DHCP, so it expires sometimes),
then all ports from WAN are redirected to the ZyWALL 5 WAN; The bad bit of this, is that the ZyWall 5 has no 
way of knowing what its actual WAN IP is, because its WAN sits on modems' LAN e.g. 192.168.0.X, and has its 
own LAN of 192.168.1.X)

And the remote side (Shrew Local Host setting) needs to be on virtual adapter and assigned address, 
because the ZyWall does not support any automatic way of configuring things.

What I want to achieve, is to give the people who connect via tunnel, access to the local network (on the 
192.168.1.X subnet - ZyWALLs LAN) (and just one host is all I really need).

Is there something I can do th make the above sane and manageable ? (and safe too?)

Will it be a good idea, to have the ZyWALL set to the 192.168.0.X as gateway IP so to make the 
Phase2 recognize it is not Dynamic ?

Also I could obtain some DynDNS account and use it for this purpose - this would be the easiest thing to do
actually - but I didn't really want to do it... being a honeypot is no fun.

I have read the Shrew support page on ZyWALL 5  and used some google-fu to find 
http://www.dslreports.com/forum/r22711771-Free-windows-VPN-client-for-ZyWall5
http://www.dslreports.com/forum/r22994160-Zyxel-Zywall-5-PPTP-VPN-how-to

which helped me to get through Phase1.

I do not hesitate to read, so google keywords, pointers and hints are welcome and appreciated)
(I don't expect anybody to fix my problems :) )

Thanks in advance,

Lukasz





More information about the vpn-help mailing list