Project

General

Profile

Issue #2678

Updated by Tobias Brunner about 4 years ago

Hello, I'm trying to get a system to connect to a Zyxel USG 60 IPSec L2TP Server.

Its failing on phase 1 somehow. I've double checked the PSK and settings on both sides but there must be something I'm missing.
NOTE: Actual public IP addresses have been changed for the sake of this post.

Verson: Linux strongSwan U5.6.1/K3.10.0-862.2.3.el7.x86_64

From the StrongSwan Side I see this:
<pre>
peer not responding, trying again (3/3)
initiating Main Mode IKE_SA vpnconn1[1] to 47.21.145.234
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 45.63.13.137[500] to 47.21.145.234[500] (240 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 45.63.13.137[500] to 47.21.145.234[500] (240 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from 45.63.13.137[500] to 47.21.145.234[500] (240 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from 45.63.13.137[500] to 47.21.145.234[500] (240 bytes)
sending retransmit 4 of request message ID 0, seq 1
sending packet: from 45.63.13.137[500] to 47.21.145.234[500] (240 bytes)
sending retransmit 5 of request message ID 0, seq 1
sending packet: from 45.63.13.137[500] to 47.21.145.234[500] (240 bytes)
</pre>


The Zyxel shows it's sending responses and doing a TCPDump on the StrongSwan side shows they are being received:

<pre>
[root@freepbx strongswan]# tcpdump udp port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:32:29.274563 IP zyxel.net.isakmp > xx.xx.xx.xx.xxxx.com.isakmp: isakmp: phase 1 ? ident
06:32:37.802463 IP xx.xx.xx.xx.xxxx.com.isakmp > zyxel.net.isakmp.net.isakmp: isakmp: phase 1 I ident
06:32:37.855213 IP zyxel.net.isakmp.net.isakmp > xx.xx.xx.xx.xxxx.com.isakmp: isakmp: phase 1 R ident
06:32:45.177450 IP zyxel.net.isakmp.net.isakmp > xx.xx.xx.xx.xxxx.com.isakmp: isakmp: phase 1 R ident
</pre>


ipsec.conf:

<pre>
# ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug="ike 5"

conn vpnconn1
type=tunnel
authby=secret

right=zyxel.net.isakmp
rightsubnet=192.168.1.0/24 #to connect only to one Client, use i.e. 192.168.1.20/32
rightid=server

left=%defaultroute #if ZyWall has a dynamic IP address, use zywall.dyndns.org
leftsubnet=xx.xx.xx.xx/32 #to connect only to one Server, use i.e. 10.0.0.20/32
rightid=client

keyexchange=ikev1
ike=aes256-sha512-modp1024
esp=aes256-sha512-modp1024 #change to "esp=aes256-sha512-modp1024" for version 5 compatibility!
# auth=esp #remove for version 5 compatibility!
auto=add
</pre>

Back