[vpn-help] ZyXEL ZyWALL 5 connection issue (again)

Lukasz Sokol el.es.cr at googlemail.com
Sat Jan 30 16:30:55 CST 2010 

Hi,
I was writing about this issue before, but there it is again : this
time I managed to achieve that the phase2 completes (apparently,
network policy as in Shrew, is also used by ZyWALL as phase2 ID...)

So I configured Shrew (2.1.5) so that phase 1 and 2 proposals match
(basically, set to automatic wherever Shrew allows, IIRC only one
setting has to be set hard, in phase 1).

And all goes good enough, I'm not getting an error of  phase2 ID
mismatch  from my ZyWALL, but then the gateway thinks we have no
security associations and Shrew Trace shows :

10/01/30 21:50:05 ii : installed divert rule for 0.0.0.0/255.255.255.0
10/01/30 21:50:06 ii : inspecting ARP request ...
10/01/30 21:50:08 !! : failed to process outbound packet, no security policy
10/01/30 21:50:09 !! : failed to process outbound packet, no security policy
10/01/30 21:50:26 ii : inspecting ARP request ...
10/01/30 21:50:26 !! : ARP packet has invalid header
10/01/30 21:51:19 ii : inspecting ARP request ...
10/01/30 21:51:25 ii : inspecting ARP request ...
10/01/30 21:51:25 !! : ARP packet has invalid header
10/01/30 21:51:28 ii : inspecting ARP request ...
10/01/30 21:51:43 ii : removed divert rule for 0.0.0.0/255.255.255.0

and a lot of

10/01/30 21:52:19 ii : inspecting ARP request ...
10/01/30 21:52:19 !! : ARP packet has invalid header
10/01/30 21:53:47 ii : inspecting ARP request ...
10/01/30 21:53:47 !! : ARP packet has invalid header
10/01/30 21:59:25 ii : inspecting ARP request ...
10/01/30 21:59:25 !! : ARP packet has invalid header

(Tried to decrease MTU to 1000, no success.)

This is because I had to set an include policy on Shrew to include
0.0.0.0/24 only:
if Shrew has something else there (like the address of ZyWALL's LAN)
the process fails with an error as I have described earlier (phase2 id
mismatch).

(and ZyWALL for some reason would not let me enter something other
than 0.0.0.0 into remote network for phase2 setup)

Also 'Maintain persistent security associations' on Shrew Policy Setup
has to be off, or ends with phase2 id mismatch...

Did anybody ever have it running on a ZyWall ?
Peer operating system is WinXP SP3, pretty much up to date and Shrew 2.1.5.

My topology :

DSL Line: single WAN IP <-> DSL Modem in Routing mode (LAN
192.168.0.1) redirecting all packets to (by address mapping) --->
ZyWall 5 WAN (192.168.0.10); ZyWALL in routing mode;  ZyWALL 5 LAN
address : 192.168.1.1/24

The reason is, my DSL line is PPPoA, and the modem only can do PPPoE
pass-through, so it had to be in routing mode (unfortunately)...

VPN on ZyWALL5 intends to use virtual host mapping (from 10.0.0.1/24
to 192.168.1.1/24) because the remote peers could be locally on an
address that matches one of the above LAN or Z5 WAN subnets.

Can you help me or point me what am I doing wrong ?

Thanks in advance,
Lukasz

More information about the vpn-help mailing list