[vpn-help] ZyWall USG 100 troubles

Roger O. Svenning roger at bitloom.no
Tue Nov 9 05:45:51 CST 2010


On 09.11.2010 08:51, Roger O. Svenning wrote:
> Hi
>
> After fiddling with the setup for a few hours I finally got Shrew to
> establish a tunnel with my ZyWall USG 100 (fw 2.2)
> But I'm unable to ping any addresses on the remote network.
>
> Shrew 2.1.7 on W7x64
>
> Remote lan is: 192.168.64.0/24
> Local virtual adapter: 192.168.65.1/255.255.255.0
> Policy: Include 192.168.64.0/24
>
> I have tried both 192.168.64.0/24 and 192.168.65.0/24 as connection
> policy in the ZyWall, and enforce policy turned off.
> I can not see any policies in the ZyWall Firewall that would prevent
> traffic from the IPSec_VPN zone going to LAN zones.
>

Oh well, looking at the log it looks like P2 fails:

10/11/09 12:34:00 ii : user roger authentication succeeded
10/11/09 12:34:00 ii : sending xauth acknowledge
10/11/09 12:34:00 >= : cookies 568b5fadfde03b39:7000bed28fcb4a56
10/11/09 12:34:00 >= : message 243d1797
10/11/09 12:34:00 ii : configuration method is manual
.....
10/11/09 12:34:01 ii : created IPSEC policy route for 192.168.64.0/24
10/11/09 12:34:01 >= : cookies 568b5fadfde03b39:7000bed28fcb4a56
10/11/09 12:34:01 >= : message 893b7f7e
10/11/09 12:34:01 ii : split DNS is disabled
10/11/09 12:34:01 ii : processing informational packet ( 116 bytes )
10/11/09 12:34:01 =< : cookies 568b5fadfde03b39:7000bed28fcb4a56
10/11/09 12:34:01 =< : message 8554dea8
10/11/09 12:34:01 ii : received peer NO-PROPOSAL-CHOSEN notification
10/11/09 12:34:01 ii : - 89.162.xx.xx:500 -> 89.162.xx.xx:500
10/11/09 12:34:01 ii : - ipsec-esp spi = 0x684f02c1
10/11/09 12:34:01 ii : - data size 50
10/11/09 12:34:06 -> : resend 1 phase2 packet(s) 89.162.xx.xx:500 -> 
89.162.xx.xx:500
10/11/09 12:34:06 ii : processing informational packet ( 116 bytes )
10/11/09 12:34:06 =< : cookies 568b5fadfde03b39:7000bed28fcb4a56
10/11/09 12:34:06 =< : message 8554dea8
10/11/09 12:34:06 ii : received peer NO-PROPOSAL-CHOSEN notification
10/11/09 12:34:06 ii : - 89.162.xx.xx:500 -> 89.162.xx.xx:500
10/11/09 12:34:06 ii : - ipsec-esp spi = 0x684f02c1
10/11/09 12:34:06 ii : - data size 50

Currently configured to ESP-3DES/MD5 28800 in both ends
Also tried ESP-DES/SHA1 3600
Tried PFS both disabled and set to DH2

Any ideas?



More information about the vpn-help mailing list