VPN through 2 of Zyxel P-2812HNU-F1's

Discussion in 'Networking & NAS' started by Morphies, Mar 10, 2013.

  1. Morphies

    Morphies
    Active Member

    Joined:
    Aug 18, 2008
    Messages:
    818
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    31
    Location:
    Rotherham
    Ratings:
    +89
    Good morning all,

    The firm I work for recent bought a new building. The company is fairly small, and we spend very little on IT. I've been trying to connect the two sites together myself and am having a hair pulling time of it!

    Both sites have a Zyxel P-2812HNU-F1. The user manual for this is pritty poor regarding the VPN functions.

    Site one has a small business server 2011 essentials server acting as DHCP.

    Site two aims to connect to site one using the VPN function on both P-2812HNU-F1's.

    I've been trying to get this working for some time now, and have had very little luck; so here I am.

    I've made a couple to calls to Zyxel's tech support, but have had little luck, the final time I called an agent said they would call me back, as yet I'm still waiting.

    Site 1 details:
    IP pool 192.168.1.x
    Subnet: 255.255.255.0
    SBS server IP: 192.168.1.1 (DHCP Enabled)
    P-2812HNU-F1 IP: 192.168.1.253 (DHCP Disabled, Firewall Disabled)

    Site 2 details:
    IP pool: 192.168.2.x
    subnet: 255.255.255.0
    P-2812HNU-F1 IP: 192.168.2.254 (DHCP enabled, Firewall Disabled)

    Now, the current VPN settings I have are as follows:

    Site 1:

    IPSEC Setup
    Active: on
    NAT Traversal: ON
    Tunnel Name: roth-sheff
    Mode: net-net
    Local
    Local Address Type: Subnet
    IP Address Start: 192.168.1.0
    End/Subnet Mask: 255.255.255.0

    remote
    Remote Address Type: Subnet
    IP Address Start: 192.168.2.0
    End/Subnet Mask: 255.255.255.0

    Address INformation
    WAN Interface: SYDR_VDSL
    My IP Address: removed but is the WAN IP of site 1
    Secure Gateway address: IP Address: removed but is the WAN IP of site 2
    Local ID: None
    Content: blank
    remote ID: None
    Content: blank

    Securite Protocol
    Pre shared Key: 1234567
    Local: blank
    Remote: blank

    Advanced Settings

    Phase1
    Encryption Algorithm: AES-256
    Authentication Algorithm: SH1
    DH: Diffie-Hellman Group5
    SA Life time (seconds): 28800

    Phase2
    Encryption Algorithm: AES-256
    Authentication Algorithm: MD5
    DH: Diffie-Hellman Group5
    SA Life time (seconds): 28800

    DPD
    DPD Active: On

    Site 2:

    IPSEC Setup
    Active: on
    NAT Traversal: ON
    Tunnel Name: roth-sheff
    Mode: net-net
    Local
    Local Address Type: Subnet
    IP Address Start: 192.168.2.0
    End/Subnet Mask: 255.255.255.0

    remote
    Remote Address Type: Subnet
    IP Address Start: 192.168.1.0
    End/Subnet Mask: 255.255.255.0

    Address Information
    WAN Interface: SYDR_VDSL
    My IP Address: removed but is the WAN IP of site 2
    Secure Gateway address: IP Address: removed but is the WAN IP of site 1
    Local ID: None
    Content: blank
    remote ID: None
    Content: blank

    Securite Protocol
    Pre shared Key: 1234567
    Local: blank
    Remote: blank

    Advanced Settings

    Phase1
    Encryption Algorithm: AES-256
    Authentication Algorithm: SH1
    DH: Diffie-Hellman Group5
    SA Life time (seconds): 28800

    Phase2
    Encryption Algorithm: AES-256
    Authentication Algorithm: MD5
    DH: Diffie-Hellman Group5
    SA Life time (seconds): 28800

    DPD
    DPD Active: On

    If anyone could shed a little light..
     
  2. mickevh

    mickevh
    Well-known Member

    Joined:
    Apr 30, 2007
    Messages:
    7,183
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Location:
    West London
    Ratings:
    +1,717
    Can you post up the routing tables of both your routers.

    How are you establishing the WAN IP addresses - are they permanently leased from your ISP's or are you using some form of DynDNS?

    I don't know your kit and I don't spend much time doing VPN's, but there's nothing jumping out at me as obviously wrong. Last time I created a site to site VPN, it was useful to be able to trace the traffic activity and debug what was going on. Do your tunnel endpoints offer any such facilites..?

    What's the symptoms you are seeing... not establishing tunnel, not routing traffic, etc. Some kit has a screen showing whether the VPN is "active" "established" "phase 1 complete" "phase 2 complete" etc. Any such info would be useful.

    EDIT - I can't see any mention of VPN in the datasheet or manual for your Zyxel P-2812HNU-F1. Where/how are you creating the tunnel endpoints..?
     
    Last edited: Mar 10, 2013
  3. Morphies

    Morphies
    Active Member

    Joined:
    Aug 18, 2008
    Messages:
    818
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    31
    Location:
    Rotherham
    Ratings:
    +89
    Thanks for the response.

    I appear to have sorted it.

    The ip's are static so that wasn't the issue.

    It turns out that

    Local ID: None
    Content: blank
    remote ID: None
    Content: blank

    Needs to be set to IP and the content needs to reflect the wan IP's respectively.

    I was able to change these remotely and the tunnel appears to be live.

    Need to wait till I get to work tomorrow to see if anything actually works though.


    Edit: the manual is really poor, but the router actually has VPN tunneling built in. It just isn't mentioned in the user guide
     
  4. mickevh

    mickevh
    Well-known Member

    Joined:
    Apr 30, 2007
    Messages:
    7,183
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Location:
    West London
    Ratings:
    +1,717
    Interesting; what I've skimmed of the rest of the User Guide seems rather good. Normally VPN endpoints is something mfgrs shout about.

    Are you aware of the routing "gotcha" that can occur with site to site VPN's...?

    For example, somewhere in the routing table for (say) site 1 will be a route that says 192.168.2.0/24 can be reached through the VPN tunnel (however that's expressing in your router.)

    All fine and dandy while the tunnel is up, but a problem can occur when the tunnel goes down, thus the route to 192.168.2.0 is unavailable.

    When the site 1 router receives traffic destined for site 2, if the tunnel is down (or not yet established) it can no longer send it through the VPN, so it has to decide what to do with it.

    Most SOHO routers have a default route that sends all traffic to the Internet that it doesn't know what to do with. In such a situation thence, if the route to 192.168.2.0 (VPN tunnel) is down, the traffic which should be kept "private" will get sprayed out to your ISP. Chances are, ISP will simple drop it as 192.168.2.0 isn't publicly routable. However, it would be better to not rely on the ISP and contain such "leaks" oneself.

    They way I "fixed" that in my site-to-site VPN was to create routing so that anything that should be sent through the VPN tunnel gets dropped if the tunnel is down instead of sending it out of the "default route."
     
    Last edited: Mar 10, 2013
  5. Morphies

    Morphies
    Active Member

    Joined:
    Aug 18, 2008
    Messages:
    818
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    31
    Location:
    Rotherham
    Ratings:
    +89
    Right,

    So I've come into work this morning hoping (not expecting, I know how networking works) to be able to see the other site.

    Unfortunately not. I can not get a ping response from any of the static IP's on the opposite network.

    The VPN status lights on the Zyxel's are amber, which appears to mean OK. I've had a look into the logs but there is nothing in there for the VPN at all.

    Having a Google would suggest that Phase 1 is completing, but Phase 2 isn't. However, without some sort of log, or more information on the status of the VPN tunnel it's proving difficult to troubleshoot.

    There is also a lot of talk about routing issues, although routing isn't a strong point of mine.
     
    Last edited: Mar 11, 2013
  6. mickevh

    mickevh
    Well-known Member

    Joined:
    Apr 30, 2007
    Messages:
    7,183
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Location:
    West London
    Ratings:
    +1,717
    I can't shed much additional light. I did wonder if the "Local ID" and "Remote ID" pertained to the "Security Association" (SA.) I know on my box, I needed to match (or wildcard) them to the communicating peer before phase 2 would come up.

    If you have the ability to "telnet" in to you router, there might be some additional display options that can show you what's going.
     
  7. Morphies

    Morphies
    Active Member

    Joined:
    Aug 18, 2008
    Messages:
    818
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    31
    Location:
    Rotherham
    Ratings:
    +89
    I've been onto Zyxel tech support whom had a play around with both routers. after about half an hour they decided that the amount of information supplied by the routers logging for VPN is not sufficient. So, they said they would break down the tunnel and re-setup to one of their own firewalls to enable some detailed logs.

    As yet, the VPN tunnel is still active. I'm not holding my breath.
     

Share This Page

Loading...