Muss eine GW zu GW VPN Verbindung einrichten. Habe darum mal einen Auszug verlangt, einen Auszug der Cisco ASA Firewall (Gegenstelle im anderen Land) betreffend den VPN Einstellungen, nun ist es die Kunst, diese richtig interpretieren zu entsprechend auf einer Zyxel USG 200 Firewall zu implementieren

Hier die Konfig der Cisco ASA GW zu GW VPN Verbindung:
--------------------------------------------------------------------------
names
name 10.100.0.0 xy-net

access-list filter-LTL-Schweiz remark Allow any ICMP Traffic
access-list filter-LTL-Schweiz extended permit icmp any any

access-list split-VPN-Schweiz-LTL standard permit xy-net 255.255.0.0

access-list l2l_schweiz extended permit ip 192.168.5.0 255.255.255.0 xy-net 255.255.0.0

mtu External 1500

group-policy Schweiz-LTL internal
group-policy Schweiz-LTL attributes
vpn-filter value filter-LTL-Schweiz
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-VPN-Schweiz-LTL
webvpn

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map External_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map External_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map External_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto map External_map 100 match address l2l_schweiz
crypto map External_map 100 set peer 109.164.134.46
crypto map External_map 100 set transform-set ESP-3DES-SHA
crypto map External_map 100 set security-association lifetime seconds 28800
crypto map External_map 100 set security-association lifetime kilobytes 4608000
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map External_map interface External

isakmp identity auto
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000

tunnel-group 109.164.134.46 type ipsec-l2l
tunnel-group 109.164.134.46 general-attributes
default-group-policy Schweiz-LTL
tunnel-group 109.164.134.46 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
--------------------------------------------------------------------------

Hier meine Einstellungen auf der Zyxel USG 200

Phase 1 (Punkt VPN/ IPSec VPN/ Reiter VPN Gateway)
VPN Name = XY
Gateway Settings/ My Address/ Interface = wan1 (DHCP client -- 109.164.134.46/255.255.255.128)

Bemerkung dazu:
Ist eine per DHCP zugewiesene IP von Swisscom, diese ist aber schon seit einem Monat oder so immer die gleiche Und: Habe auch einen DynDNS Namen hinterlegt, dessen Name ich aber in der obigen Konfiguration der Gegenstelle (konfiguriert auf der Cisco ASA Firewall) nirgends finde

Peer Gateway Address/ Primary 195.50.134.66
Secondory 0.0.0.0

Authentication = PreShared Key = SchlüsselXY
Phase 1 Settings/ SA LifeTime 28800

Negotiation Mode = Main
Proposal/ Encryption = 3DES Authentication = SHA1
Key Group = DH2

NAT Traversal = aktiviert


Phase 2 (Punkt VPN/ IPSec VPN/ Reiter VPN Connections)
VPN Gateway/ Application Szenario = Site-to-Site
VPN Gateway = den GW angegeben, welche ich im Reiter VPN Gateway definiert habe

Policy/ local Policy = SUBNET, 192.168.5.0/24
Remote Policy = SUBNET, 10.100.0.0/16

Phase 2 Setting/ SA Life Time = 86400
Active Protocol = ESP
Encapsulation = Tunnel
Proposal = Encryption 3DES / Authentication = SHA1, MD5, SHA256

Perfect Forward Secrecy (PFS) = DH2

Related Settings/ Zone = IPSec_VPN

Das Log sagt mit dieser Konfiguration bei Verbindungsaufbau folgendes:
--------------------------------------------------------------------------
# Time Priority Category Message Source Source Interface Destination Destination Interface Protocol Note
1 2012-05-09 10:54:07 info IKE The cookie pair is : 0x1bf9b104824b3bfb / 0xd684ecc0e37cfa42 [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
2 2012-05-09 10:54:06 info IKE The cookie pair is : 0xd684ecc0e37cfa42 / 0x1bf9b104824b3bfb [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
3 2012-05-09 10:54:06 info IKE The cookie pair is : 0x1bf9b104824b3bfb / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
4 2012-05-09 10:54:00 info IKE The cookie pair is : 0x3b2171c4ed26b39c / 0x6c179b97f814123b [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
5 2012-05-09 10:54:00 info IKE The cookie pair is : 0x6c179b97f814123b / 0x3b2171c4ed26b39c [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
6 2012-05-09 10:54:00 info IKE The cookie pair is : 0x3b2171c4ed26b39c / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
7 2012-05-09 10:53:58 info IKE ISAKMP SA [Hess_DE_GW] is disconnected [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
8 2012-05-09 10:53:58 info IKE Received delete notification [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
9 2012-05-09 10:53:58 info IKE Recv:[HASH][DEL] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
10 2012-05-09 10:53:58 info IKE Recv:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
11 2012-05-09 10:53:58 info IKE Send:[HASH][SA][NONCE][KE][ID][ID] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
12 2012-05-09 10:53:58 info IKE Phase 1 IKE SA process done [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
13 2012-05-09 10:53:58 info IKE Recv:[ID][HASH][VID] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
14 2012-05-09 10:53:58 info IKE Send:[ID][HASH][NOTIFY:INITIAL_CONTACT] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
15 2012-05-09 10:53:58 info IKE Recv:[KE][NONCE][VID][VID][VID][VID][PRV][PRV] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
16 2012-05-09 10:53:58 info IKE Send:[KE][NONCE][PRV][PRV] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
17 2012-05-09 10:53:58 info IKE The cookie pair is : 0x3d63d827f68aea86 / 0xd0491afdd1ada1d8 [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
18 2012-05-09 10:53:57 info IKE Recv:[SA][VID][VID] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
19 2012-05-09 10:53:57 info IKE The cookie pair is : 0xd0491afdd1ada1d8 / 0x3d63d827f68aea86 [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
20 2012-05-09 10:53:57 info IKE Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
21 2012-05-09 10:53:57 info IKE Send Main Mode request to [195.50.134.66] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
22 2012-05-09 10:53:57 info IKE Tunnel [HessCH_zu_HessDE] Sending IKE request [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
23 2012-05-09 10:53:57 info IKE The cookie pair is : 0x3d63d827f68aea86 / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
25 2012-05-09 10:53:44 info IKE ISAKMP SA [Hess_DE_GW] is disconnected 109.164.134.46:500 195.50.134.66:500 IKE_LOG
26 2012-05-09 10:53:44 info IKE Received delete notification 195.50.134.66:500 109.164.134.46:500 IKE_LOG
27 2012-05-09 10:53:44 info IKE Recv:[HASH][DEL] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
28 2012-05-09 10:53:44 info IKE Recv:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
29 2012-05-09 10:53:44 info IKE Send:[HASH][SA][NONCE][KE][ID][ID] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
30 2012-05-09 10:53:44 info IKE Phase 1 IKE SA process done 109.164.134.46:500 195.50.134.66:500 IKE_LOG
31 2012-05-09 10:53:44 info IKE Recv:[ID][HASH][VID] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
32 2012-05-09 10:53:44 info IKE Send:[ID][HASH][NOTIFY:INITIAL_CONTACT] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
33 2012-05-09 10:53:44 info IKE Recv:[KE][NONCE][VID][VID][VID][VID][PRV][PRV] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
34 2012-05-09 10:53:43 info IKE Send:[KE][NONCE][PRV][PRV] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
35 2012-05-09 10:53:43 info IKE The cookie pair is : 0xc9d5c43097adfd61 / 0x19093c6e36a860d7 [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
36 2012-05-09 10:53:43 info IKE Recv:[SA][VID][VID] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
37 2012-05-09 10:53:43 info IKE The cookie pair is : 0x19093c6e36a860d7 / 0xc9d5c43097adfd61 [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
38 2012-05-09 10:53:43 info IKE Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
39 2012-05-09 10:53:43 info IKE Send Main Mode request to [195.50.134.66] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
40 2012-05-09 10:53:43 info IKE Tunnel [HessCH_zu_HessDE] Sending IKE request 109.164.134.46:500 195.50.134.66:500 IKE_LOG
41 2012-05-09 10:53:43 info IKE The cookie pair is : 0xc9d5c43097adfd61 / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
--------------------------------------------------------------------------

Die Verbindung kann nicht aufgebaut werden, läuft nach 30 Sekunden in ein TimeOut

Danke euch 1000 mal für die Unterstützung :-)