[vpn-help] Connecting to Zywall - Tunnel established, routing broken?

Ralf Steppacher ralf at steppacher.name
Fri Aug 6 01:12:46 CDT 2010


Hi Lukasz,

it is a Zywall USG 300. And I thought that success was near when I was
able to establish the tunnel. The Zywall is not configured exactly like
it is described in the Shrew-Zywall-Howto, but it still kind of works.
Apart from the fact that I cannot reach IPs on the remote network.
Everyone else in the company is using the commercial Windows client
available from Zyxel. So no chance to get any changes to the device
config done just for me.


Greets
Ralf


On Thu, 2010-08-05 at 15:24 +0100, Lukasz Sokol wrote:
> Hello Ralf,
> 
> which ZyWALL device are you connecting to ?
> 
> I tried a few times to (not only Shrew, GreenBow too) configure IPSEC tunnel(s), using zywall 5, 35 or usg300,
> only to be beaten by phase2 error - i.e. i could not enter tunnel-client settings compatible
> with zywall; it was looking like zywall had to have phase2 id == ipsec client policy or else
> connection was ended by gateway due to phase1 timeout or phase2 id mismatch.
> (yes it was long ago and I found my way without using ipsec vpn, but still interested why I failed)
> 
> Would you share your configuration idea please ?
> 
> Lukasz
> 
> On 05/08/2010 07:26, Ralf Steppacher wrote:
> > Matthew,
> > 
> > thanks for the fast response. Unfortunately making the change you
> > suggest does not make a difference. Depending on what I set under the
> > policy tab I get two different results when trying to ping a host on the
> > remote network:
> > 
> > ralf at ralf-ubuntu:/etc$ ping 192.168.50.10
> > PING 192.168.50.10 (192.168.50.10) 56(84) bytes of data.
> > ^C
> > --- 192.168.50.10 ping statistics ---
> > 8 packets transmitted, 0 received, 100% packet loss, time 7006ms
> > 
> > Or
> > 
> > ralf at ralf-ubuntu:/etc$ ping 192.168.50.10
> > PING 192.168.50.10 (192.168.50.10) 56(84) bytes of data.
> >>From 192.168.50.81 icmp_seq=1 Destination Host Unreachable
> >>From 192.168.50.81 icmp_seq=2 Destination Host Unreachable
> >>From 192.168.50.81 icmp_seq=3 Destination Host Unreachable
> >>From 192.168.50.81 icmp_seq=4 Destination Host Unreachable
> >>From 192.168.50.81 icmp_seq=5 Destination Host Unreachable
> >>From 192.168.50.81 icmp_seq=6 Destination Host Unreachable
> > ^C
> > --- 192.168.50.10 ping statistics ---
> > 7 packets transmitted, 0 received, +6 errors, 100% packet loss, time
> > 6018ms
> > , pipe 4
> > 
> > 192.168.50.81 is the IP assigned to the tap0 interface.
> > 
> > 
> > Thanks for your help!
> > Ralf
> > 
> > 
> > On Wed, 2010-08-04 at 22:57 -0500, Matthew Grooms wrote:
> >> On 8/4/2010 9:13 AM, Ralf Steppacher wrote:
> >>> Hello all,
> >>>
> >>> I am trying to connect to our corporate network via a Zywall and the Shrew VPN Client 2.1.5 from my Ubuntu 10.04 PC. I followed the Zywall wiki howto as best as I could, having no access to the Zywall configuration.
> >>>
> >>> I managed to establish a tunnel from my PC to the Zywall, but none of the IP addresses on the remote network are reachable/pingable. My local gateway is still pingable though. I guess it is a routing issue?
> >>>
> >>> My kernel routes with the tunnel open look like this. 192.168.1.0 being my local network, 192.168.50.0 being the corporate network.
> >>>
> >>> ralf at ralf-ubuntu:~$ route
> >>> Kernel IP routing table
> >>> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> >>> default         192.168.50.81   255.255.255.0   UG    0      0        0 tap0
> >>> 192.168.50.0    *               255.255.255.0   U     0      0        0 tap0
> >>> 192.168.1.0     *               255.255.255.0   U     2      0        0 wlan0
> >>> link-local      *               255.255.0.0     U     1000   0        0 wlan0
> >>> default         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
> >>>
> >>> Does that look right to you?
> >>>
> >>> If it is OK, what else could be wrong?
> >>> In particular, I am unsure about what to set on the "Policy" tab of the client.
> >>>
> >>
> >> Did you read this?
> >>
> >> http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html
> >>
> >> -Matthew
> >> _______________________________________________
> >> vpn-help mailing list
> >> vpn-help at lists.shrew.net
> >> http://lists.shrew.net/mailman/listinfo/vpn-help
> > 
> > 
> > _______________________________________________
> > vpn-help mailing list
> > vpn-help at lists.shrew.net
> > http://lists.shrew.net/mailman/listinfo/vpn-help
> > 
> 
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help





More information about the vpn-help mailing list