I try to setup an IPSec VPN tunnel through my firewall (ZyWall USG-50), but it doesn't work like it should.
quick scheme of my installation:
ME [A.B.C.D] --- **INTERNET**
|
|
[A2.B2.C2.D2] **ROUTER** [192.168.0.254]
|
| (DMZ)
|
[192.168.0.250] **ZyWall USG50** [192.168.169.1]
|
|
|
LAN1 [[192.168.169.0/24]]
- A.B.C.D : my IP address
- A2.B2.C2.D2 : my routers' IP address
- 192.168.0.0/24 is the network between my routeur and my ZyWall (Zywall is on the DMZ of my router)
- The LAN i want to get access is 192.168.169.0/24
- Our VPN client : ShrewSoft
I already set up VPN_gateway and VPN_connection on my Zywall. My ShrewSoft config seems to be good but when tunnel is enabled i lost my internet connection and i can't ping devices on my LAN1.
Zywall logs:
(from bottom to top):
16
2014-06-27 14:07:27
info
IKE
The cookie pair is : 0xd5ee179c993e0210 / 0xd5866913901fc739 [count=5]
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
17
2014-06-27 14:07:27
info
IKE
Recv:[HASH][NOTIFY:R_U_THERE]
A.B.C.D:56175
192.168.0.250:500
IKE_LOG
***************************
18
2014-06-27 14:07:27
info
IKE
The cookie pair is : 0xd5866913901fc739 / 0xd5ee179c993e0210
A.B.C.D:56175
192.168.0.250:500
IKE_LOG
***************************
19
2014-06-27 14:07:12
info
IKE
Send:[HASH][NOTIFY:R_U_THERE_ACK]
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
20
2014-06-27 14:07:12
info
IKE
The cookie pair is : 0xd5ee179c993e0210 / 0xd5866913901fc739
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
21
2014-06-27 14:07:12
info
IKE
Recv:[HASH][NOTIFY:R_U_THERE]
A.B.C.D:56175
192.168.0.250:500
IKE_LOG
***************************
22
2014-06-27 14:07:12
info
IKE
The cookie pair is : 0xd5866913901fc739 / 0xd5ee179c993e0210
A.B.C.D:56175
192.168.0.250:500
IKE_LOG
***************************
23
2014-06-27 14:07:12
notice
Firewall
priority:11, from WAN to ZyWALL, UDP, service Default_Allow_WAN_To_ZyWALL, ACCEPT
A.B.C.D:56175
192.168.0.250:500
ACCESS FORWARD
***************************
24
2014-06-27 14:06:57
info
IKE
Dynamic Tunnel [IPSEC_GATEWAY:IPSEC_CONNECTION:0xc7101df2] rekeyed successfully
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
25
2014-06-27 14:06:57
info
IKE
[ESP des-cbc|hmac-sha1-96][SPI 0x21a0e0db|0xc7101df2][Lifetime 3620]
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
26
2014-06-27 14:06:57
info
IKE
Dynamic Tunnel [IPSEC_GATEWAY:IPSEC_CONNECTION:0xdc10a224] built successfully
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
27
2014-06-27 14:06:57
info
IKE
[ESP des-cbc|hmac-sha1-96][SPI 0x3bd528f6|0xdc10a224][Lifetime 3620]
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
28
2014-06-27 14:06:57
info
IKE
[Policy: ipv4(192.168.169.0-192.168.169.255)-ipv4(192.168.43.115)] [count=2]
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
29
2014-06-27 14:06:57
info
IKE
[Responder:192.168.0.250][Initiator:A.B.C.D] [count=2]
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
30
2014-06-27 14:06:57
info
IKE
Recv:[HASH] [count=2]
A.B.C.D:56175
192.168.0.250:500
IKE_LOG
***************************
31
2014-06-27 14:06:57
info
IKE
Send:[HASH][SA][NONCE][ID][ID] [count=2]
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
32
2014-06-27 14:06:57
info
IKE
Recv:[HASH][SA][NONCE][ID][ID] [count=2]
A.B.C.D:56175
192.168.0.250:500
IKE_LOG
***************************
33
2014-06-27 14:06:57
info
IKE
Recv:[HASH][NOTIFY:INITIAL_CONTACT]
A.B.C.D:56175
192.168.0.250:500
IKE_LOG
***************************
34
2014-06-27 14:06:57
info
IKE
Phase 1 IKE SA process done
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
35
2014-06-27 14:06:57
info
IKE
Send:[ID][HASH]
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
36
2014-06-27 14:06:57
info
IKE
Recv:[ID][HASH]
A.B.C.D:56175
192.168.0.250:500
IKE_LOG
***************************
37
2014-06-27 14:06:57
info
IKE
Send:[KE][NONCE]
192.168.0.250:500
A.B.C.D:56175
IKE_LOG
***************************
38
2014-06-27 14:06:57
info
IKE
Recv:[KE][NONCE]
A.B.C.D:56175
192.168.0.250:500
IKE_LOG
***************************
39
2014-06-27 14:06:56
notice
Firewall
priority:11, from WAN to ZyWALL, UDP, service Default_Allow_WAN_To_ZyWALL, ACCEPT
A.B.C.D:56175
192.168.0.250:500
ACCESS FORWARD
I followed each steps in the Zywall Docs and various post from shrewSoft community but i obviously miss something…
If someone see something which can go wrong with these logs i would appreciate !(or some ideas to begin troubleshooting) Thanks.
Best Answer
[...] but when tunnel is enabled i lost my internet connection and i can't ping devices on my LAN1
The issue with lost internet connection sounds pretty much like a "Split Tunnel" issue. If you didn't enable Split Tunnel in your VPN configuration, all traffic originating from your VPN client will go through your VPN gateway.
When enabling Split Tunnel, your VPN client will receive specific routes and therefore will only send interesting traffic in the VPN tunnel.
As for the other issue (unable to ping devices on LAN1), there are three things that can happen.
If you are trying to ping with the devices name, you obviously need your VPN configuration to "send" a DNS server to the VPN client that will resolve names on the LAN1 network. You can check if that's the issue by pinging the devices using their IPs. If it works, it's a DNS issue.
Some firewall rules might be missing. You might have to explicitly tell the firewall to allow traffic from and to the VPN clients. This should be verified by looking at traffic logs on the firewall.
Some routes might be missing. You didn't mention what IP your VPN client gets, but you have to make sure that the client knows how to route to the LAN1 network. You obviously also need to make sure that devices on LAN1 knows how to route whatever subnet you are using on the VPN client side. This can be verified by checking the routing tables on both devices in LAN1 and on your VPN client once it's connected to the VPN tunnel is up.