[Vpn-help] ZyWall USG 200 Site-to-Site

Matthew Grooms mgrooms at shrew.net
Mon May 18 01:32:31 CDT 2009 

Michael Wolf wrote:
> Hello there,
> 
> i'm struggling with this since 2 days, i hope somebody can point me to
> the error.
> For now i'm at version 2.2.0, but that didn't change a thing to 2.1.4
> 
> I need to build a site-to-site connection from my ubuntu notebook
> (which is in 192.168.10.0) to a ZyWall USG 200 (internal network
> 10.168.69.0) at work (wan 1.2.3.4). I have web-access to the Firewall,
> so i created a new gateway and connection and tried to
> stick with the settings from the howto for Zyxel.
> 

Hi Michael,

It sounds like your trying to use the IKE daemon in client mode, but 
trying to negotiate a site to site tunnel. This won't work.

The IKE daemon is designed to support client communications or site to 
site connections. However, I honestly haven't done much testing of the 
latter since there are already several mature IKE daemons that provide 
this functionality on Linux/BSD ( *SWAN, ipsec-tools, isakmpd, etc ).

If you want to try using the Shrew Soft IKE daemon in site to site mode, 
read the ike.conf man page. It has a similar configuration syntax as 
ipsec-tools racoon.conf. You won't need the GUI tools at all since the 
security policies will be statically configured using the setkey command 
line utility and SA negotiations will happen transparently ( no connect 
disconnect required ). But honestly, if you are looking for site to site 
I would recommend one of the other tools available. The Shrew Soft VPN 
Client, although it has a flexible full featured IKE daemon, has really 
only been tested as a client tool.

> While trying to get a connection i came across a lot of errors, but
> after all i learned these settings should be fine.
> I'm not absolutely sure about the policies though...there are 2 on the
> zywall-side, one for each network. i don't want my network to be seen
> from the other side, so i choose exclude for this and include for the
> remote network?

Your trying to create security policies to encrypt traffic to a network 
you are locally connected to. This won't work ...

> 09/05/16 19:29:25 K> : send pfkey X_SPDADD UNSPEC message
> 09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
> 09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
> 09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
> 09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
> 09/05/16 19:29:25 DB : phase2 not found
> 

I'm not entirely sure what your trying to accomplish. If you need remote 
access, I would have a look at the documentation provided in the support 
section of our web site. For site to site connectivity, you probably 
would be better off using something other than the Shrew Soft Client.

Sorry I can't be more help,

-Matthew

More information about the vpn-help mailing list