[vpn-help] ZyWall USG 100 troubles

Matthew Grooms mgrooms at shrew.net
Mon Nov 15 22:51:07 CST 2010 

On 11/9/2010 5:45 AM, Roger O. Svenning wrote:
> On 09.11.2010 08:51, Roger O. Svenning wrote:
>> Hi
>>
>> After fiddling with the setup for a few hours I finally got Shrew to
>> establish a tunnel with my ZyWall USG 100 (fw 2.2)
>> But I'm unable to ping any addresses on the remote network.
>>
>> Shrew 2.1.7 on W7x64
>>
>> Remote lan is: 192.168.64.0/24
>> Local virtual adapter: 192.168.65.1/255.255.255.0
>> Policy: Include 192.168.64.0/24
>>
>> I have tried both 192.168.64.0/24 and 192.168.65.0/24 as connection
>> policy in the ZyWall, and enforce policy turned off.
>> I can not see any policies in the ZyWall Firewall that would prevent
>> traffic from the IPSec_VPN zone going to LAN zones.
>>
>
> Oh well, looking at the log it looks like P2 fails:
>
> 10/11/09 12:34:00 ii : user roger authentication succeeded
> 10/11/09 12:34:00 ii : sending xauth acknowledge
> 10/11/09 12:34:00 >= : cookies 568b5fadfde03b39:7000bed28fcb4a56
> 10/11/09 12:34:00 >= : message 243d1797
> 10/11/09 12:34:00 ii : configuration method is manual
> .....
> 10/11/09 12:34:01 ii : created IPSEC policy route for 192.168.64.0/24
> 10/11/09 12:34:01 >= : cookies 568b5fadfde03b39:7000bed28fcb4a56
> 10/11/09 12:34:01 >= : message 893b7f7e
> 10/11/09 12:34:01 ii : split DNS is disabled
> 10/11/09 12:34:01 ii : processing informational packet ( 116 bytes )
> 10/11/09 12:34:01 =< : cookies 568b5fadfde03b39:7000bed28fcb4a56
> 10/11/09 12:34:01 =< : message 8554dea8
> 10/11/09 12:34:01 ii : received peer NO-PROPOSAL-CHOSEN notification
> 10/11/09 12:34:01 ii : - 89.162.xx.xx:500 -> 89.162.xx.xx:500
> 10/11/09 12:34:01 ii : - ipsec-esp spi = 0x684f02c1
> 10/11/09 12:34:01 ii : - data size 50
> 10/11/09 12:34:06 -> : resend 1 phase2 packet(s) 89.162.xx.xx:500 ->
> 89.162.xx.xx:500
> 10/11/09 12:34:06 ii : processing informational packet ( 116 bytes )
> 10/11/09 12:34:06 =< : cookies 568b5fadfde03b39:7000bed28fcb4a56
> 10/11/09 12:34:06 =< : message 8554dea8
> 10/11/09 12:34:06 ii : received peer NO-PROPOSAL-CHOSEN notification
> 10/11/09 12:34:06 ii : - 89.162.xx.xx:500 -> 89.162.xx.xx:500
> 10/11/09 12:34:06 ii : - ipsec-esp spi = 0x684f02c1
> 10/11/09 12:34:06 ii : - data size 50
>
> Currently configured to ESP-3DES/MD5 28800 in both ends
> Also tried ESP-DES/SHA1 3600
> Tried PFS both disabled and set to DH2
>
> Any ideas?
> _______________________________________________

Its probably rejecting the local or remote network IDs. The only example 
I have is the one documented in the wiki, and it works with my Zywall 
device. Have you tried updating your Zywall firmware?

-Matthew

More information about the vpn-help mailing list