Results 1 to 6 of 6
  1. #1
    Newbie
    Join Date
    Jul 2011
    Location
    Lihue, HI
    Posts
    14

    Default Connecting to Zyxel USG 100

    I'm trying to establish a tunnel with a Zyxel USG 100, but the tunnel does not come up correctly. Anyone have any settings advice? What settings does Untangle try and use anyway, I can't find any documentation on that. If I can tell the admin at the other end of the tunnel what settings UT is using, they could adjust.

    Here is what I'm seeing in the logs:

    : "Tunnel" #1: initiating Main Mode
    : "Tunnel" #1: ignoring unknown Vendor ID payload [f758f22668750f03b08df6ebe1d0]
    : "Tunnel" #1: received Vendor ID payload [Dead Peer Detection]
    : "Tunnel" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    : "Tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
    : transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    : "Tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
    : "Tunnel" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
    : "Tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xx8'
    : "Tunnel" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
    : "Tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
    : "Tunnel" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:ad023784 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
    : "Tunnel" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
    : "Tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x0ba2e618 <0x83bc7ae8 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
    : "Tunnel" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
    : "Tunnel" #1: received and ignored informational message
    : "Tunnel" #1: received Delete SA payload: deleting ISAKMP State #1
    : packet from xxx.xxx.xxx.xx8:500: received and ignored informational message
    : "Tunnel" #3: initiating Main Mode
    : "Tunnel" #3: ignoring unknown Vendor ID payload [f758f22668750f03b08df6ebe1d0]
    : "Tunnel" #3: received Vendor ID payload [Dead Peer Detection]
    : "Tunnel" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    : "Tunnel" #3: STATE_MAIN_I2: sent MI2, expecting MR2
    : "Tunnel" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    : "Tunnel" #3: STATE_MAIN_I3: sent MI3, expecting MR3
    : "Tunnel" #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
    : "Tunnel" #3: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xx8'
    : "Tunnel" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
    : "Tunnel" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
    : "Tunnel" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#3 msgid:a422076c proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
    : "Tunnel" #3: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
    : "Tunnel" #3: received and ignored informational message

  2. #2
    Newbie
    Join Date
    Jul 2011
    Location
    Lihue, HI
    Posts
    14

    Default

    We got it working after another round of trial and error. Maybe this will help someone else in the future.

    ESP
    3DES/SHA1
    DH2


    Here is the IPSec State on Untangle:

    src xxx.xxx.xxx.xx6 dst xxx.xxx.xxx.xx8
    proto esp spi 0x24417f2b reqid 16385 mode tunnel
    replay-window 32 flag 20
    auth hmac(sha1)
    enc cbc(des3_ede)
    src xxx.xxx.xxx.xx8 dst xxx.xxx.xxx.xx6
    proto esp spi 0xba6fef09 reqid 16385 mode tunnel
    replay-window 32 flag 20
    auth hmac(sha1)
    enc cbc(des3_ede)

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,762

    Default

    Thanks for posting your solution!
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Newbie
    Join Date
    Jul 2011
    Location
    Lihue, HI
    Posts
    14

    Default

    Just another update: The tunnel is extremely unreliable, and quits randomly. I'm at a loss trying to make sense of the logs, and I'm just about giving up on trying to make it work. So my final advice to anyone else would be to assume these two devices do not work together. At least not at an acceptable level for production environments.

    If I had access to both tunnel endpoints I might dig more to see what's going on, but I do not.

  5. #5
    Master Untangler
    Join Date
    Aug 2008
    Posts
    400

    Default

    First, I know nothing about setting up VPNs, but would the Zyxel VPN client help? Look at the very bottom of this links page.

    http://www.zyxelguard.com/ZyWALL-USG100.asp

    .

  6. #6
    Newbie
    Join Date
    Jul 2011
    Location
    Lihue, HI
    Posts
    14

    Default

    Quote Originally Posted by blueshoes View Post
    First, I know nothing about setting up VPNs, but would the Zyxel VPN client help? Look at the very bottom of this links page.

    http://www.zyxelguard.com/ZyWALL-USG100.asp

    .
    This might be a workaround. Thank you for the suggestion.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2