I currently have two ZyWall 5 units at two sites with IPSEC VPN connecting the subnet of each. These have been run up to the point the one unit has been failing multiple times a day and I want to switch it out with another unit. I have two additional ZyWall 5 units. All are running the same 4.04(XD 9) firmware. I think I must have been lucking getting those two units paired together.
I have been able to get the VPNs to connect when any two routers WAN ports are connected with a switch in between, configured with the real global IPs. However, when installed across my ISPs network (through a fiber switch), I can only get the current two routers to connect. I've recreated the VPN rules multiple times and only the two current units connect across my link.
On any test that doesn't connect with my ISPs network in the middle in the log files I see that in Phase 1 IKE transactions, the cookie pair always seems to have the far end (I think) cookie as ZEROs, depends on which side I initiate the connection from. These should be valid after the 'Send:[SA][VID][VID]' transaction. There are re-transmit requests and then it stops as it looks like the VPN isn't configured properly. Bring the two routers onto the same switch side by side, and they connect perfectly and almost instantly.
I've tried enabling NAT translation just for kicks (there is no router between the two points) but that had no effect.
Seems most of the documentation I've found on the ZyWall 5 is flawed in some way, even some of the documentation on ZyXELs site. The unit is out of service and out of support so ZyXel will not help and they have taken down their forums.
Anyone have any ideas on how to connect two ZyWALL 5's together reliably? Anyone have any ideas on what is causing this issue? Starting thinking there is something going on with the two WANs being on the same subnet but then why would they connect side by side connected with a switch?
↧