[Vpn-help] ZyWall USG 200 Site-to-Site

Michael Wolf michaelpwolf at googlemail.com
Sat May 16 13:15:48 CDT 2009 

Hello there,

i'm struggling with this since 2 days, i hope somebody can point me to
the error.
For now i'm at version 2.2.0, but that didn't change a thing to 2.1.4

I need to build a site-to-site connection from my ubuntu notebook
(which is in 192.168.10.0) to a ZyWall USG 200 (internal network
10.168.69.0) at work (wan 1.2.3.4). I have web-access to the Firewall,
so i created a new gateway and connection and tried to
stick with the settings from the howto for Zyxel.

While trying to get a connection i came across a lot of errors, but
after all i learned these settings should be fine.
I'm not absolutely sure about the policies though...there are 2 on the
zywall-side, one for each network. i don't want my network to be seen
from the other side, so i choose exclude for this and include for the
remote network?
It doesn't influence the error i get...

Here's the site-config:

n:version:3
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:0
n:client-dns-used:0
b:auth-mutual-psk:psk
n:phase1-dhgroup:2
n:phase1-keylen:0
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:0
n:phase2-pfsgroup:-1
n:phase2-life-secs:28800
n:policy-nailed:1
n:policy-list-auto:0
n:client-dns-auto:0
s:client-dns-addr:10.168.69.17
s:client-dns-suffix:domain
n:phase2-life-kbytes:0
s:network-host:1.2.3.4
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:10.168.69.251
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:disable
s:auth-method:mutual-psk
s:ident-client-type:ufqdn
s:ident-client-data:mymail at work.net
s:ident-server-type:address
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:3des
s:phase2-hmac:md5
s:ipcomp-transform:deflate
s:policy-list-include:10.168.69.0/255.255.255.0,192.168.10.0/255.255.255.0


so perhaps it's about routing? i lost tap0 in the process...
192.168.10.0    0.0.0.0         255.255.255.0   U     2      0        0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlan0
0.0.0.0         192.168.10.1    0.0.0.0         UG    0      0        0 wlan0

seems like i should have come here before, when there still was a tap0...



So here the actual log output:
09/05/16 19:29:24 ii : ipc client process thread begin ...
09/05/16 19:29:24 <A : peer config add message
09/05/16 19:29:24 <A : proposal config message
09/05/16 19:29:24 <A : proposal config message
09/05/16 19:29:24 <A : proposal config message
09/05/16 19:29:24 <A : client config message
09/05/16 19:29:24 <A : local id 'mymail at work.net' message
09/05/16 19:29:24 <A : preshared key message
09/05/16 19:29:24 <A : remote resource message
09/05/16 19:29:24 <A : remote resource message
09/05/16 19:29:24 <A : peer tunnel enable message
09/05/16 19:29:24 DB : peer added ( obj count = 1 )
09/05/16 19:29:24 ii : local address 192.168.10.160 selected for peer
09/05/16 19:29:24 DB : tunnel added ( obj count = 1 )
09/05/16 19:29:24 DB : new phase1 ( ISAKMP initiator )
09/05/16 19:29:24 DB : exchange type is aggressive
09/05/16 19:29:24 DB : 192.168.10.160:500 <-> 1.2.3.4:500
09/05/16 19:29:24 DB : 0e923767d0760ad1:0000000000000000
09/05/16 19:29:24 DB : phase1 added ( obj count = 1 )
09/05/16 19:29:24 >> : security association payload
09/05/16 19:29:24 >> : - proposal #1 payload
09/05/16 19:29:24 >> : -- transform #1 payload
09/05/16 19:29:24 >> : key exchange payload
09/05/16 19:29:24 >> : nonce payload
09/05/16 19:29:24 >> : identification payload
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 ii : local supports nat-t ( draft v00 )
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 ii : local supports nat-t ( draft v01 )
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 ii : local supports nat-t ( draft v02 )
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 ii : local supports nat-t ( draft v03 )
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 ii : local supports nat-t ( rfc )
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 ii : local supports DPDv1
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 ii : local is SHREW SOFT compatible
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 ii : local is NETSCREEN compatible
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 ii : local is SIDEWINDER compatible
09/05/16 19:29:24 >> : vendor id payload
09/05/16 19:29:24 ii : local is CISCO UNITY compatible
09/05/16 19:29:24 >= : cookies 0e923767d0760ad1:0000000000000000
09/05/16 19:29:24 >= : message 00000000
09/05/16 19:29:24 -> : send IKE packet 192.168.10.160:500 ->
1.2.3.4:500 ( 521 bytes )
09/05/16 19:29:24 DB : phase1 resend event scheduled ( ref count = 2 )
09/05/16 19:29:25 <- : recv IKE packet 1.2.3.4:500 ->
192.168.10.160:500 ( 524 bytes )
09/05/16 19:29:25 DB : phase1 found
09/05/16 19:29:25 ii : processing phase1 packet ( 524 bytes )
09/05/16 19:29:25 =< : cookies 0e923767d0760ad1:a4867f410c51cc43
09/05/16 19:29:25 =< : message 00000000
09/05/16 19:29:25 << : security association payload
09/05/16 19:29:25 << : - propsal #1 payload
09/05/16 19:29:25 << : -- transform #1 payload
09/05/16 19:29:25 ii : matched isakmp proposal #1 transform #1
09/05/16 19:29:25 ii : - transform    = ike
09/05/16 19:29:25 ii : - cipher type  = 3des
09/05/16 19:29:25 ii : - key length   = default
09/05/16 19:29:25 ii : - hash type    = md5
09/05/16 19:29:25 ii : - dh group     = modp-1024
09/05/16 19:29:25 ii : - auth type    = psk
09/05/16 19:29:25 ii : - life seconds = 28800
09/05/16 19:29:25 ii : - life kbytes  = 0
09/05/16 19:29:25 << : key exchange payload
09/05/16 19:29:25 << : nonce payload
09/05/16 19:29:25 << : identification payload
09/05/16 19:29:25 ii : phase1 id match ( natt prevents ip match )
09/05/16 19:29:25 ii : received = ipv4-host 1.2.3.4
09/05/16 19:29:25 << : hash payload
09/05/16 19:29:25 << : vendor id payload
09/05/16 19:29:25 ii : unknown vendor id ( 14 bytes )
09/05/16 19:29:25 0x : f758f226 68750f03 b08df6eb e1d0
09/05/16 19:29:25 << : vendor id payload
09/05/16 19:29:25 ii : unknown vendor id ( 16 bytes )
09/05/16 19:29:25 0x : 27bab5dc 01ea0760 ea4e3190 ac27c0d0
09/05/16 19:29:25 << : vendor id payload
09/05/16 19:29:25 ii : unknown vendor id ( 16 bytes )
09/05/16 19:29:25 0x : 6105c422 e76847e4 3f968480 1292aecd
09/05/16 19:29:25 << : vendor id payload
09/05/16 19:29:25 ii : peer supports nat-t ( draft v00 )
09/05/16 19:29:25 << : vendor id payload
09/05/16 19:29:25 ii : unknown vendor id ( 16 bytes )
09/05/16 19:29:25 0x : cd604643 35df21f8 7cfdb2fc 68b6a448
09/05/16 19:29:25 << : vendor id payload
09/05/16 19:29:25 ii : peer supports nat-t ( draft v02 )
09/05/16 19:29:25 << : vendor id payload
09/05/16 19:29:25 ii : peer supports nat-t ( draft v03 )
09/05/16 19:29:25 << : vendor id payload
09/05/16 19:29:25 ii : peer supports nat-t ( rfc )
09/05/16 19:29:25 << : vendor id payload
09/05/16 19:29:25 ii : peer supports DPDv1
09/05/16 19:29:25 << : vendor id payload
09/05/16 19:29:25 ii : peer is CISCO UNITY compatible
09/05/16 19:29:25 << : notification payload
09/05/16 19:29:25 << : nat discovery payload
09/05/16 19:29:25 << : nat discovery payload
09/05/16 19:29:25 ii : nat discovery - local address is translated
09/05/16 19:29:25 ii : switching to src nat-t udp port 4500
09/05/16 19:29:25 ii : switching to dst nat-t udp port 4500
09/05/16 19:29:25 == : DH shared secret ( 128 bytes )
09/05/16 19:29:25 == : SETKEYID ( 16 bytes )
09/05/16 19:29:25 == : SETKEYID_d ( 16 bytes )
09/05/16 19:29:25 == : SETKEYID_a ( 16 bytes )
09/05/16 19:29:25 == : SETKEYID_e ( 16 bytes )
09/05/16 19:29:25 == : cipher key ( 32 bytes )
09/05/16 19:29:25 == : cipher iv ( 8 bytes )
09/05/16 19:29:25 == : phase1 hash_i ( computed ) ( 16 bytes )
09/05/16 19:29:25 >> : hash payload
09/05/16 19:29:25 >> : nat discovery payload
09/05/16 19:29:25 >> : nat discovery payload
09/05/16 19:29:25 >= : cookies 0e923767d0760ad1:a4867f410c51cc43
09/05/16 19:29:25 >= : message 00000000
09/05/16 19:29:25 >= : encrypt iv ( 8 bytes )
09/05/16 19:29:25 == : encrypt packet ( 88 bytes )
09/05/16 19:29:25 == : stored iv ( 8 bytes )
09/05/16 19:29:25 DB : phase1 resend event canceled ( ref count = 1 )
09/05/16 19:29:25 -> : send NAT-T:IKE packet 192.168.10.160:4500 ->
1.2.3.4:4500 ( 124 bytes )
09/05/16 19:29:25 == : phase1 hash_r ( computed ) ( 16 bytes )
09/05/16 19:29:25 == : phase1 hash_r ( received ) ( 16 bytes )
09/05/16 19:29:25 ii : phase1 sa established
09/05/16 19:29:25 ii : 1.2.3.4:4500 <-> 192.168.10.160:4500
09/05/16 19:29:25 ii : e923767d0760ad1:a4867f41c51cc43
09/05/16 19:29:25 ii : sending peer INITIAL-CONTACT notification
09/05/16 19:29:25 ii : - 192.168.10.160:4500 -> 1.2.3.4:4500
09/05/16 19:29:25 ii : - isakmp spi = 0e923767d0760ad1:a4867f410c51cc43
09/05/16 19:29:25 ii : - data size 0
09/05/16 19:29:25 >> : hash payload
09/05/16 19:29:25 >> : notification payload
09/05/16 19:29:25 == : new informational hash ( 16 bytes )
09/05/16 19:29:25 == : new informational iv ( 8 bytes )
09/05/16 19:29:25 >= : cookies 0e923767d0760ad1:a4867f410c51cc43
09/05/16 19:29:25 >= : message 9118c8ba
09/05/16 19:29:25 >= : encrypt iv ( 8 bytes )
09/05/16 19:29:25 == : encrypt packet ( 76 bytes )
09/05/16 19:29:25 == : stored iv ( 8 bytes )
09/05/16 19:29:25 -> : send NAT-T:IKE packet 192.168.10.160:4500 ->
1.2.3.4:4500 ( 108 bytes )
09/05/16 19:29:25 DB : config added ( obj count = 1 )
09/05/16 19:29:25 ii : configuration method is manual
09/05/16 19:29:25 ii : creating IPSEC INBOUND policy
ANY:255.255.255.255/0:* -> ANY:192.168.10.160:*
09/05/16 19:29:25 DB : policy added ( obj count = 33 )
09/05/16 19:29:25 K> : send pfkey X_SPDADD UNSPEC message
09/05/16 19:29:25 ii : creating IPSEC OUTBOUND policy
ANY:192.168.10.160:* -> ANY:255.255.255.255/0:*
09/05/16 19:29:25 ii : created IPSEC policy route for 255.255.255.255
09/05/16 19:29:25 DB : policy added ( obj count = 34 )
09/05/16 19:29:25 K> : send pfkey X_SPDADD UNSPEC message
09/05/16 19:29:25 ii : creating IPSEC INBOUND policy
ANY:255.255.255.255/0:* -> ANY:192.168.10.160:*
09/05/16 19:29:25 DB : policy added ( obj count = 35 )
09/05/16 19:29:25 K> : send pfkey X_SPDADD UNSPEC message
09/05/16 19:29:25 ii : creating IPSEC OUTBOUND policy
ANY:192.168.10.160:* -> ANY:255.255.255.255/0:*
09/05/16 19:29:25 ii : created IPSEC policy route for 255.255.255.255
09/05/16 19:29:25 DB : policy added ( obj count = 36 )
09/05/16 19:29:25 K> : send pfkey X_SPDADD UNSPEC message
09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
09/05/16 19:29:25 DB : phase2 not found

Thanks for some help in advance...

Michael Wolf

More information about the vpn-help mailing list