[Vpn-help] ZyWall USG 200 Site-to-Site
Matthew Grooms
mgrooms at shrew.net
Mon May 18 01:32:31 CDT 2009
Michael Wolf wrote:
> Hello there,
>
> i'm struggling with this since 2 days, i hope somebody can point me to
> the error.
> For now i'm at version 2.2.0, but that didn't change a thing to 2.1.4
>
> I need to build a site-to-site connection from my ubuntu notebook
> (which is in 192.168.10.0) to a ZyWall USG 200 (internal network
> 10.168.69.0) at work (wan 1.2.3.4). I have web-access to the Firewall,
> so i created a new gateway and connection and tried to
> stick with the settings from the howto for Zyxel.
>
Hi Michael,
It sounds like your trying to use the IKE daemon in client mode, but
trying to negotiate a site to site tunnel. This won't work.
The IKE daemon is designed to support client communications or site to
site connections. However, I honestly haven't done much testing of the
latter since there are already several mature IKE daemons that provide
this functionality on Linux/BSD ( *SWAN, ipsec-tools, isakmpd, etc ).
If you want to try using the Shrew Soft IKE daemon in site to site mode,
read the ike.conf man page. It has a similar configuration syntax as
ipsec-tools racoon.conf. You won't need the GUI tools at all since the
security policies will be statically configured using the setkey command
line utility and SA negotiations will happen transparently ( no connect
disconnect required ). But honestly, if you are looking for site to site
I would recommend one of the other tools available. The Shrew Soft VPN
Client, although it has a flexible full featured IKE daemon, has really
only been tested as a client tool.
> While trying to get a connection i came across a lot of errors, but
> after all i learned these settings should be fine.
> I'm not absolutely sure about the policies though...there are 2 on the
> zywall-side, one for each network. i don't want my network to be seen
> from the other side, so i choose exclude for this and include for the
> remote network?
Your trying to create security policies to encrypt traffic to a network
you are locally connected to. This won't work ...
> 09/05/16 19:29:25 K> : send pfkey X_SPDADD UNSPEC message
> 09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
> 09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
> 09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
> 09/05/16 19:29:25 K! : recv X_SPDADD message failure ( errno = 17 )
> 09/05/16 19:29:25 DB : phase2 not found
>
I'm not entirely sure what your trying to accomplish. If you need remote
access, I would have a look at the documentation provided in the support
section of our web site. For site to site connectivity, you probably
would be better off using something other than the Shrew Soft Client.
Sorry I can't be more help,
-Matthew
More information about the vpn-help
mailing list