How it Works
Zyxel
Loading...
ZyWall 10
Reference Manual
130 pgs2.6 Mb0
SMT User's Guide
228 pgs2.26 Mb0
User Manual
12 pgs274.36 Kb0
user manual
495 pgs14.9 Mb0
User Manual
254 pgs4.54 Mb0
User Manual
536 pgs11.39 Mb0
User Manual
342 pgs3.89 Mb0

Zyxel ZYWALL 10 User Manual

Download
Page 1
TheGreenBow IPSec VPN Client
Configuration Guide
Router:
WebSite: http://www.thegreenbow.com Contact: support@thegreenbow.com
Zyxel ZyWall 10
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 0/12
Page 2
Doc.Ref tgbvpn_cg_ZyWall10_en Doc.version 2.0 – Nov.2004 VPN version 2.5x
Table of contents
1 Introduction.................................................................................................................................................... 0
1.1 Goal of this document............................................................................................................................... 0
1.2 Network topology...................................................................................................................................... 0
2 ZyWall VPN Configuration............................................................................................................................. 0
2.1 ZyWall VPN Configuration interface.......................................................................................................... 0
2.2 ZyWall IKE Mode......................................................................................................................................0
2.3 ZyWall Phase 2 IDs................................................................................................................................... 0
2.4 ZyWall Phase 1 IDs................................................................................................................................... 0
2.5 ZyWall IPSec Protocol ..............................................................................................................................0
2.6 ZyWall Authentication and encryption algorithms......................................................................................0
3 TheGreenBow IPSec VPN Client configuration............................................................................................. 0
3.1 VPN Client Phase 1 (IKE) Configuration................................................................................................... 0
3.2 VPN Client Phase 2 (IPSec) Configuration............................................................................................... 0
3.3 Open the IPSec VPN tunnels.................................................................................................................... 0
4 VPN IPSec Troubleshooting.......................................................................................................................... 0
4.1 « PAYLOAD MALFORMED » error.......................................................................................................... 0
4.2 « INVALID COOKIE » error....................................................................................................................... 0
4.3 « no keystate » error................................................................................................................................. 0
4.4 « received remote ID other than expected » error..................................................................................... 0
4.5 « NO PROPOSAL CHOSEN » error......................................................................................................... 0
4.6 « INVALID ID INFORMATION » error....................................................................................................... 0
4.7 I clicked on “Open tunnel”, but nothing happens....................................................................................... 0
4.8 The VPN tunnel is up but I can’t ping !...................................................................................................... 0
5 Contacts......................................................................................................................................................... 0
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 2/12
Page 3
Doc.Ref tgbvpn_cg_ZyWall10_en Doc.version 2.0 – Nov.2004 VPN version 2.5x
1 Introduction
1.1 Goal of this document
This document describes how to configure TheGreenBow VPN Client with a Zyxel ZyWall 10.
1.2 Network topology
In our example, we will connect TheGreenBow VPN client to the LAN behind the Zyxel ZyWall Router. The VPN client is connected to the Internet by a dialup connection fr om an ISP. The client will have a virtual IP addre ss in the remote LAN. All the addresses in this document are given for example purpose.
80.11.8.4
Internet
192.168.1.1 155.2.4.36
Zyxel
ZyWall 10
192.168.100.57
192.168.1.3
192.168.1.78
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 3/12
Page 4
Doc.Ref tgbvpn_cg_ZyWall10_en Doc.version 2.0 – Nov.2004 VPN version 2.5x
2 ZyWall VPN Configuration
ZyNOS Firmware version release of the Zyxel ZyWall 10 used during tests was ZyNOS 3.52 (WA.3) | 05/28/2003.
2.1 ZyWall VPN Configuration interface
Zywall VPN configuration can be achieved with a web browser. Read Zyxel ZyWA LL 10 documentation for mor e information.
Once connected to your VPN gatew ay, click on "VPN" link in the Zyxel ZyWALL 10 VPN configuration interface. Select a VPN connection and click on "Edit":
2.2 ZyWall IKE Mode
Click on "Active". Select "IKE" and "Main" if you want to use IKE Main mode exchange.
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 4/12
Page 5
Doc.Ref tgbvpn_cg_ZyWall10_en Doc.version 2.0 – Nov.2004 VPN version 2.5x

2.3 ZyWall Phase 2 IDs

The settings "Local" and "Remote" are in fact Phase 2 IDs. In Loca l Address Type, you must select "Subnet Address" and fill the field “Starting IP Address” with the IP addresses of your LAN.

2.4 ZyWall Phase 1 IDs

Phase 1 IDs are set in the following view of the conf iguration interface. We choose to use IP Addresses as IDs.
2.5 ZyWall IPSec Protocol
Next step consists into selecting IPSec Protocol. TheGreenBow VP N client do not accept AH protocol. Set the Pre-Shared Key and click on "Advanced".
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 5/12
Page 6
Doc.Ref tgbvpn_cg_ZyWall10_en Doc.version 2.0 – Nov.2004 VPN version 2.5x
2.6 ZyWall Authentication and encryption algorithms
For Phase 1, select the algorithm you want. DH 1 is also known as Diffie-Hellman 768 and DH2 as Diffie-Hellman
1024.
For Phase 2, do not forget to select "ESP" as active protocol.
Click on « Apply » once you have finished.
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 6/12
Page 7
Doc.Ref tgbvpn_cg_ZyWall10_en Doc.version 2.0 – Nov.2004 VPN version 2.5x
3 TheGreenBow IPSec VPN Client configuration
3.1 VPN Client Phase 1 (IKE) Configuration
In the "Interface" field, you can select a star ("*"), if the client host re ceive a dynamic IP Address from an ISP for example.
The "Remote Address" field value is the Zyxel ZyWALL VPN router publ ic IP address or DNS address. By clicking in "Advanced" button, you can setup "Ph as e 1 Ids" and "Aggressive Mode".
The remote Gateway IP address is either an explicit IP address,
abcdefgh
abcdefgh
Phase 1 configuration
3.2 VPN Client Phase 2 (IPSec) Configuration
In this window, you define IPSec VPN Poli cy. "VPN Client address" is the virtual IP address of the cl ient inside the LAN. With Zyxel VPN gateways, this address must not belong to the remote LAN.
Take as example the choice of 19 2.168. 1.100 for virtua l IP addr ess. When the VPN c lient is sen ding a TCP or an UDP packet to a target remote computer 192.168.0.x, th is target will send inside its subnet an ARP request in order to get VPN client MAC address and reply directly to it. But, this request cannot receive any answer because the client is not physically present inside the subnet. So, initial packets from the client will not be answered.
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 7/12
Page 8
Doc.Ref tgbvpn_cg_ZyWall10_en
ging
Doc.version 2.0 – Nov.2004 VPN version 2.5x
You may define a static virtual IP address here.
For use with Zyxel routers, do NOT specify an IP address belon
to the remote LAN’s
Enter the IP address (and subnet mask) of the remote LAN.
Phase2 Configuration
3.3 Open the IPSec VPN tunnels
Once both Zyxel Zywall VPN router and TheGreenBow IPS ec VPN Client have bee n configured accord ingly, you are ready to open VPN tunnels. First make sure you ena ble your firewall with IPSec traffic.
1. Click on "Save & Apply" to take into account all modifications we've made on your VPN Client configuration
2. Click on "Open Tunnel", or generate traffic that will automatical ly open a secure IPsec VPN Tu nnel (e.g. ping, IE browser)
3. Select "Connections" to see opened VPN Tunnels
4. Select "Console" if you want to access to the IPSec VPN logs and adjust filters to display less IPSec messaging.
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 8/12
Page 9
Doc.Ref tgbvpn_cg_ZyWall10_en Doc.version 2.0 – Nov.2004 VPN version 2.5x
4 VPN IPSec Troubleshooting
4.1 « PAYLOAD MALFORMED » error
114920 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [SA][VID] 114920 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [NOTIFY] 114920 Default exchange_run: exchange_validate failed 114920 Default dropped message from 195.100.205.114 port 500 due to notification type PAYLOAD_MALFORMED 114920 Default SEND Informational [NOTIFY] with PAYLOAD_MALFORMED error
If you have an « PAYLOAD MALFORMED » error you might have a wrong Phase 1 [SA], check if the encryption algorithms are the same on each side of the VPN tunnel.
4.2 « INVALID COOKIE » error
115933 Default message_recv: invalid cookie(s) 5918ca0c2634288f 7364e3e486e49105 115933 Default dropped message from 195.100.205.114 port 500 due to notification type INVALID_COOKIE 115933 Default SEND Informational [NOTIFY] with INVALID_COOKIE error
If you have an « INVALID COOKIE » error, it mean s that on e of th e end poi nt is usi ng a S A th at is no more i n use. Reset the VPN connection on each side.
4.3 « no keystate » error
115315 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [SA][VID] 115317 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [SA][VID] 115317 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [KEY][NONCE] 115319 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [KEY][NONCE] 115319 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 115319 Default ipsec_get_keystate: no keystate in ISAKMP SA 00B57C50
If you have an « no keystate » error, check if the preshared key is correct or if the local ID is correct (see « Advanced » button). You should have m ore information in the remote endpoint logs.
4.4 « received remote ID other than expected » error
120348 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [SA][VID] 120349 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [SA][VID] 120349 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [KEY][NONCE] 120351 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [KEY][NONCE] 120351 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 120351 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY] 120351 Default ike_phase_1_recv_ID: received remote ID other than expected support@thegreenbow.fr
The « Remote ID » value (see « Advanced » Button) do not match what the remote endpoint is expected.
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 9/12
Page 10
Doc.Ref tgbvpn_cg_ZyWall10_en Doc.version 2.0 – Nov.2004 VPN version 2.5x
4.5 « NO PROPOSAL CHOSEN » error
115911 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [SA][VID] 115913 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [SA][VID] 115913 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [KEY][NONCE] 115915 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [KEY][NONCE] 115915 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 115915 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY] 115915 Default phase 1 done: initiator id c364cd70: 195.100.205.112, responder id c364cd72: 195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114 115915 Default (SA ZyWALL-ZyWALL-P2) SEND phase 2 Quick Mode [SA][KEY][ID][HASH][NONCE] 115915 Default RECV Informational [HASH][NOTIFY] with NO_PROPOSAL_CHOSEN error 115915 Default RECV Informational [HASH][DEL] 115915 Default ZyWALL-P1 deleted
If you have an « NO PRO POSAL CHOSEN » error, check that the « Phase 2 » encryption al gorithms are the same on each side of the VPN Tunnel.
Check « Phase 1 » algorithms if you have this:
115911 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [SA][VID] 115911 Default RECV Informational [NOTIFY] with NO_PROPOSAL_CHOSEN error
4.6 « INVALID ID INFORMATION » error
122623 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [SA][VID] 122625 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [SA][VID] 122625 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [KEY][NONCE] 122626 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [KEY][NONCE] 122626 Default (SA ZyWALL-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 122626 Default (SA ZyWALL-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY] 122626 Default phase 1 done: initiator id c364cd70: 195.100.205.112, responder id c364cd72: 195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114 122626 Default (SA ZyWALL-ZyWALL-P2) SEND phase 2 Quick Mode [SA][KEY][ID][HASH][NONCE] 122626 Default RECV Informational [HASH][NOTIFY] with INVALID_ID_INFORMATION error 122626 Default RECV Informational [HASH][DEL] 122626 Default ZyWALL-P1 deleted
If you have an « INVALID ID INFORMATION » error, check if « Phase 2 » ID (local address and network address) is correct and match what is expected by the remote endpoint.
Check also ID type (“Subnet address” and “Single address”). If network mask is not check, you are using a IPV4_ADDR type (and not a IPV4_SUBNET type).
Check in ZyWALL SA monitor if a previous SA is still alive.
4.7 I clicked on “Open tunnel”, but nothing happens.
Read logs of each VPN tunnel endpoi nt. IKE requests can be dropped by firewalls. An IPSec Cl ient uses UDP port 500 and protocol ESP (protocol 50).
4.8 The VPN tunnel is up but I can’t ping !
If the VPN tunnel is up, but you still cannot ping the remote LAN, here are a few guidelines:
Check Phase 2 settings: VP N Client address an d Remote LAN a ddress. Usually, VPN Client IP address should not belong to the remote LAN subnet
Once VPN tunnel is up, packets are sent with ESP pr otocol. This protocol can be blocked by firewall. Check that every device between the client and the VPN server does accept ESP
Check your VP N server logs. Packets can be dropped by one of its firewall rules.
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 10/12
Page 11
Doc.Ref tgbvpn_cg_ZyWall10_en Doc.version 2.0 – Nov.2004 VPN version 2.5x
Check your ISP support ESP
If you still cannot pi ng, follow ICMP traffic on VPN serv er LAN interface and on LA N computer interfac e
(with Ethereal for example). You will have an indication that encryption works.
Check the “def ault gateway” value in VPN Server LAN. A target on your remote LAN can re ceive pings but does not answer because there is a no “Defau lt gateway” setting.
You cannot ac cess to the comput ers in the LAN by their name. You must specify their IP ad dress inside the LAN.
We recommend you to instal l ethereal ( can check that your pings arrive inside the LAN.
http://www.ethereal.com) on one of your target comput er. You
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 11/12
Page 12
Doc.Ref tgbvpn_cg_ZyWall10_en Doc.version 2.0 – Nov.2004 VPN version 2.5x
5 Contacts
News and updates on TheGreenBow web site : http://www.thegreenbow.com Technical support by email at support@thegreenbow.com Sales contacts at +33 1 43 12 39 37 ou by email at info@thegreenbow.com
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2005 12/12
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use