[vpn-help] ZyXELZyWall 5 + Shrew = ?

Lukasz Sokol el.es.cr at googlemail.com
Mon Feb 8 04:37:16 CST 2010


Hello Shrew Users,

I'm sorry for mugging you with the same question again, but the combination 
as in topic was so far a no-go for me...

(I tried with another ZyWall 5 that has a 'direct' public IP access to Internet 
and happens to be under my control, but to no avail).

All in all:

- when the ZyWall has a configuration for the remote end to be 'dynamic',
it implies that its Phase2 'remote network' policy has to be 0.0.0.0/32,
(i.e. ZyWall won't accept anything else in that field)

- I tried to actually put 0.0.0.0/32 into Security Policies to be allowed
into the remote network (last tab), but if 'Maintain Persistent Security Associations'
is unticked, it does not create any tunnel even though the gateway policy
(phase1) passes OK. (Precisely, the Shrew Trace Utility on Windows, shows
a tunnel in Security Associations tab, but only for short time, then it disappears)
Eventually the connection is terminated due to timeout.

- when Shrew has the 'Maintain Persistent Security Associations' box ticked,
it sends its 'local' IP (the one put in as virtual adaptor and assigned IP address)
as phase2 ID, which results in 'Phase2 ID mismatch'. If I use 'physical adaptor'
its IP is being sent to the ZyWall, which also results in 'Phase2 ID mismatch'.

Does this tell something to somebody ?
I'd really appreciate any hint (yes I read the Shrew instructions w/r/t ZyWall 5).

(ZyXELs support say they only support GreenBow IPSEC client, which I could reliably
make to ... reproduce the same behavior).

Any hint is appreciated,
Lukasz



More information about the vpn-help mailing list