Re: [vpn-help] ZyWall USG 100 troubles

Mon, 15 Nov 2010 20:51:38 -0800 

On 11/9/2010 5:45 AM, Roger O. Svenning wrote:

On 09.11.2010 08:51, Roger O. Svenning wrote:

Hi

After fiddling with the setup for a few hours I finally got Shrew to
establish a tunnel with my ZyWall USG 100 (fw 2.2)
But I'm unable to ping any addresses on the remote network.

Shrew 2.1.7 on W7x64

Remote lan is: 192.168.64.0/24
Local virtual adapter: 192.168.65.1/255.255.255.0
Policy: Include 192.168.64.0/24

I have tried both 192.168.64.0/24 and 192.168.65.0/24 as connection
policy in the ZyWall, and enforce policy turned off.
I can not see any policies in the ZyWall Firewall that would prevent
traffic from the IPSec_VPN zone going to LAN zones.



Oh well, looking at the log it looks like P2 fails:

10/11/09 12:34:00 ii : user roger authentication succeeded
10/11/09 12:34:00 ii : sending xauth acknowledge
10/11/09 12:34:00 >= : cookies 568b5fadfde03b39:7000bed28fcb4a56
10/11/09 12:34:00 >= : message 243d1797
10/11/09 12:34:00 ii : configuration method is manual
.....
10/11/09 12:34:01 ii : created IPSEC policy route for 192.168.64.0/24
10/11/09 12:34:01 >= : cookies 568b5fadfde03b39:7000bed28fcb4a56
10/11/09 12:34:01 >= : message 893b7f7e
10/11/09 12:34:01 ii : split DNS is disabled
10/11/09 12:34:01 ii : processing informational packet ( 116 bytes )
10/11/09 12:34:01 =< : cookies 568b5fadfde03b39:7000bed28fcb4a56
10/11/09 12:34:01 =< : message 8554dea8
10/11/09 12:34:01 ii : received peer NO-PROPOSAL-CHOSEN notification
10/11/09 12:34:01 ii : - 89.162.xx.xx:500 -> 89.162.xx.xx:500
10/11/09 12:34:01 ii : - ipsec-esp spi = 0x684f02c1
10/11/09 12:34:01 ii : - data size 50
10/11/09 12:34:06 -> : resend 1 phase2 packet(s) 89.162.xx.xx:500 ->
89.162.xx.xx:500
10/11/09 12:34:06 ii : processing informational packet ( 116 bytes )
10/11/09 12:34:06 =< : cookies 568b5fadfde03b39:7000bed28fcb4a56
10/11/09 12:34:06 =< : message 8554dea8
10/11/09 12:34:06 ii : received peer NO-PROPOSAL-CHOSEN notification
10/11/09 12:34:06 ii : - 89.162.xx.xx:500 -> 89.162.xx.xx:500
10/11/09 12:34:06 ii : - ipsec-esp spi = 0x684f02c1
10/11/09 12:34:06 ii : - data size 50

Currently configured to ESP-3DES/MD5 28800 in both ends
Also tried ESP-DES/SHA1 3600
Tried PFS both disabled and set to DH2

Any ideas?
_______________________________________________
Its probably rejecting the local or remote network IDs. The only example I have is the one documented in the wiki, and it works with my Zywall device. Have you tried updating your Zywall firmware? 

-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help

Reply via email to