VPN SRP541w to Zyxel Zywall 70

Similar Messages

• VPN Problem: Can't route to other network clients

  Hi,
  I can't ping the other clients on the network when I'm connected to VPN from outside.
  But accessing internet trough VPN works. (Sending all data through VPN).
  So in fact, I can only ping the VPN server I'm connected to.
  Maybe someone here has an idea what I'm doing wrong here.
  Here is my setup:
  internet
  I
  I
  Airport Extreme (internal IP 192.168.3.1, Router with NAT Port forwarding to 192.168.3.3)
  I
  I
  Switch----macMini (192.168.3.3, OS X Server 10.4.10 with VPN, DHCP, DNS, NAT enabled)
  l
  l
  Other Clients on the Network (Clients have DNS entry 192.168.3.3 192.168.3.1, Router is 192.168.3.1)
  The services DHCP, DNS working well for internal clients.
  Has someone an idea?
  Thanks a lot.
  Alex
  Message was edited by: Syndrome

  First, ping is ICMP traffic, different from other kinds of (eg, TCP) traffic like AFP.
  See http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/productstechnote09186a00800a6057.shtml
  traceroute also uses some ICMP traffic but might also be using UDP, see
  http://en.wikipedia.org/wiki/Traceroute
  http://www.linuxplanet.com/linuxplanet/tutorials/6524/1/
  However, in testing, I can indeed ping the server, when I connect to a remote Mac OS X Server via the Mac OS X supplied vpn. But there is no AP Extreme in the path. So the two big factors are: limitations and/or configuration of the AP, and firewall settings for each/any machine involved.
  The Airport Extreme is really quite limited, compared to any more full-featured routing device - in terms of just how granular you can be with controlling traffic flow.
  (As a total aside, I'd recommend investing in something like a Zyxel Zywall 2 Plus (or similar or better) and running the AP in bridge mode for wireless clients.)
  When you've connected via VPN, please run
  netstat -rn to see what your default gateway is, that's actually being used.
  Finally, what led you to try these tests ? What other problems are you having, what primary issue(s) are you trying to solve ?

• Server + Network issue

  I am at wits end.   I have a Mac Mini Server sitting in my office.  It's connected to my home network.  Network is made up of a main Apple Extreme tower serving as the "master" and another extreme serving as the bridge.  Server is running, sharing is turned on, but my macbook pro, sitting on the bridge cannot see it.  Can't get to the server via IP address, can't get to it by name, and the name does not come up.
  I have have nothing but problems when I try to create one giant network in my house using two extremes.  I am hoping someone has some tips for me.

  There might be multiple IP subnets configured here, and/or some sort of a routing issue such as multiple active network connections from a host (and where the subnets and static routes aren't configured to match) such as parallel WiFi and wired connections, or a typo with the DNS server (which should be your local OS X Server box), or attempts to reference off-LAN DNS servers.  I'd expect all hosts to be in the same subnet, with one gateway router, and preferably one DHCP server.
  Please also use the previously-referenced harmless diagnostic command to verify the server is set up correctly, as well.
  I'd usually get a cogent and capable firewall, and switch the Apple WiFi devices over into the Access Point mode; an AP, what Apple refers to as "bridging".   AirPort Extreme and Time Capsule are competent WiFi devices for home use and are competent access points for moderate-sized networks, but are not IMO particularly good firewalls for servers.
  FWIW, I usually use ZyXEL ZYWALL USG devices as gateway-firewall-router boxes, though they're not entry-level devices and do expect some familiarity with IP networking and with VPNs.  I do prefer and do use the embedded VPN server to allow remote access from OS X clients into the networks rather than using VPN pass-through, as well.  (Disclosure: I've purchased and used and manage various ZyXEL products, but have no other financial connections with the company.)

• Use L2TP/IPsec or SSL for Wiki and Blog?

  Here comes another, slightly embarrising, newbie question…
  The only service I am setting up on the server is the Wiki and Blog. We will only connect to the server through the internet (no public access). There are no clients on the inside.
  Now trying to decide which external firewall to buy.
  Since the only service is the Wiki and Blog, I would spontaneously think that SSL VPN is good becase then we can log in through our web browsers and the Wiki and Blog is to be viewed with the web browser.
  To me it looks like quite a number of firwalls doesn't support SSL VPN (NetGear, D-link, Zyxel).
  I have never used VPN PPTP- or L2TP/IPsec-style. Can I use the web browser still with these protocols to see the Wiki and Blog?
  Cheers,
  HindIII

  I have been reading and reading, but there seems to always be room for "what do they mean by that" or "if they don't write it, its not possible", hehe.
  The NetGear FVX538 states in its specifications "VPN/security: IPsec (ESP, AH), MD5, SHA-1, DES, 3DES, IKE, PKI, AES" and for the FVS336G it says "VPN/security: IPsec (ESP), IKE, PKI, HTTPS"
  Even the full names of the firewalls are, to me, somewhat descriptive: "Prosafe Dual WAN VPN Firewall with 8-port 10/100 Switch FVX528" vs. "Dual Wan Gigabit SSL VPN Firewall FVS336G".
  One can also compare Zyxels "ZyWall 5" and ZyWall SSL 10".
  When I read the manuals, some hardly mention SSL while others (that often are called SSL in their names) have longer sections on how to set up SSL VPN.
  Thanks MrHoffman for your input.
  I hope I soon can decide which external firewall to get. Spontanously, to me it sounds like the built in firewall in 10.6 Server got pretty good specifications. One can do both PPTP and L2PT with Kerberos that is written to be excellent (according to Daniel Eran Dilger, writer of "Snow Leopard Server"). Then I get stuck in searching for Kerberos solutions in the external firewalls, never finds that.
  It seems like I need someone to tell me exactly what to get and exactly what protocols to use :o) I wich I knew as much about servers as I do about my normal profession, hehe.

• Simple file server accessible remotely with managed access. Do I need ML Server for this?

  Hello,
  I have a  Mac Mini that will be dedicated to serving 15 folders of documents to 7 people. It would be great if each person had their own password and I'd like to be able to decide what folders each user will have access to. The people need to be able to access the files from home and on the office network.
  Do I NEED to run OS X server for this Or can i accomplish this in OS X?
  I have to get this running quickly and I may not have time for the ML Server learning curve (even though it has been simplified).
  I tried to get ML server running on my machine a few weeks ago but got stuck. If setting up ML server with JUST the file server is dramatically easier I will try again. Can anyone please suggest a tutorial that takes me through simply setting up a remotely accessible file server with managed access with ML Server?
  V

  OS X client can serve files to remote clients, via both SMB/CIFS and AFS; via the Windows and OS X fiel services.  That's cheap, uses hardware you already have, and works fine.
  Most NAS boxes don't do distributed authentication.  Typically, you have credentials for the box at most.  Some of the mid- and upper-end boxes do offer distributed authentication, but that means having that authentication around.  At the low end, an Apple Time Capsule is a reasonable NAS box, and you can add an external disk.   And can be used for backups via Time Machine, too.  The mid- and upper-end boxes from Synology have a reputation for capabilities and flexibility.  There are (many) other vendors.
  I'm not a huge fan of LogMeIn for various reasons that I won't get into here, but that service does work for accessing hosts.  I don't know if that allows access to NAS directly, but I'd tend to doubt it.  You'd need to check with both LogMeIn and with the specs for whatever NAS box you're using.  
  Given the choice, I'd use a VPN.
  Using a VPN does mean you can control — at the VPN level — who can access your private network, so that can provide a broad-brush form of access control to your NAS device or your OS X client or your OS X Server box, if you go that route.
  I don't prefer to openly serve files to the internet, as the underlying protocols have occasionally had security issues and vulnerabilities, and the internet gremlins will find and will poke at any open ports and any accessible file servers.  I prefer to configure these services via VPN.
  VPNs are also more involved to set up, where LogMeIn can be simple.
  As mentioned previously, I'm also not a huge fan of the host-based VPN servers in OS X, though those do work.  The gateway boxes I've been using in the last year or so are probably not a good choice for a user that isn't familiar with networking  — the boxes provide a user interface that very definitely expect the user to understand IP and routing and related, but is both self-consistent and quite powerful — and they're cheap for what they can do, and they do work nicely.  ZyXEL ZyWALL USG series.  If you are evaluating any of these firewall boxes, then I'd definitely encourage downloading the manuals and making sure you can understand the available information.  The server-grade firewall boxes are almost inherently flexible and thus complex devices.
  One of the easiest ways is to work with somebody that does this sort of thing to sort through the options and requirements and trade-offs available here, and potentially to set up your VPN or NAS or server configuration for you.  (Disclosure: I offer this.)

• Always disconnects on Wireless...

  Hello
  I'm using a Lenovo Thinkpad T60 (Sep '07) and Vista SP1. The Adapter is a Intel PRO/Wireless 3945ABG and the WLAN Router is Zyxel ZyWall 2. NIC driver version is 11.5.0.36 from Lenovo Website.
  Since the beginning, the WLAN connection does interrupt very often. Also a reinstallation of the operating system didn't get a benefit... Other computers do not have the same issue, so the router shouldn't be the problem?! Does anyone has a solution for  this issue?
  Thanks in advanced!
  Miguel

  Make certain that the WiFi card can't be turned off to save power in the power management tab for the device.
  Regards,
  James
  Full disclosure, I don't work for Lenovo.
  James at Thinkpads dot com

• Two Different Wireless Routers

  OK, this might be impossible, but I'm gonna ask anyway. I have a WRT54G v 1.0 running a 4 PC wireless network quite well, and has been doing so for two years, no complaints at all, it is a great router with great firmware The router was my gateway to a satellite internet (DOCIS) modem and now, low and behold, I am able to get a decent EV-DO signal, so I bought a Zyxel Zywall 2WG wireless router with card slot for 3G modem and plan to ditch the dish The problem is, I love my Linksys router. It's a great, stable unit and I want to keep it if at all possible. The zywall router has a bridge mode. What I am looking for is the way to configure the old network and bridge to utilize the 3G modem card in the zywall as my Internet gateway. It should be a simple matter right?
  Message Edited by freightliner on 10-30-2007 02:48 PM

  O.K. Too bad. You'll need the routing functions in the Zyxel for 3G access. You can still make some use of your WRT, here.
  First, I assume you have the default IP address of 192.168.1.1 on the Zyxel. The Zyxel works and you have internet.
  Now follow these instructions to setup the WRT as your second router. You could assign a LAN IP address 192.168.1.2 as mentioned in the link to the WRT. You basically turn the WRT into a simple access point and hardware switch.
  I think the Zyxel also has a wireless access point built-in. You can set up the Zyxel with the same wireless settings as the WRT, i.e. identical SSID, identical wireless security settings, only the channels should be different. With these wireless settings you have a roaming wireless network. You are able to connect to either router and have access to the LAN and internet from there. You can also move the client from one wireless access point to the other one and a good client should switch without disconnecting.
  You should place the WRT in some distance to the Zyxel to really benefit from it but you must remember that you have to run a ethernet cable between both for this to work.

• How to grant permission to applet on OS X

  I have a problem running an applet on Firefox 3.0.6 on OS X 10.5.6.
  The applet should open a local socket in listen mode for tunneling (it's the VPN applet from ZyXEL).
  But security settings prevent it from opening the port due to SocketPermissions missing 'listen'.
  Java Console:
  [starting up Java Applet Security @ Sat Apr 04 06:37:13 CEST 2009]
  Sat Apr 04 06:37:18 CEST 2009 JEP creating applet AppletVersion (https://test.ch/)
  SSLVPN Applet v4.5 ZyXEL
  <<< ProxyClassLoader: defined LiveConnectProxy class. >>>
  <<< Here're the permissions you've got: >>>
  <<< java.security.Permissions@82a033 (
  (java.net.SocketPermission test.ch connect,accept,resolve)
  ) >>>
  Is there a way to grant this applet the missing 'listen' permission?
  Adding it to local java.policy file had no effect.
  Strangely, the applet runs fine under Windows (Java 1.6)!
  Any suggestions?
  Thanks a lot!
  bue
  java -version:
  java version "1.5.0_16"
  Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_16-b06-284)
  Java HotSpot(TM) Client VM (build 1.5.0_16-133, mixed mode, sharing)
  Edited by: bue on Apr 3, 2009 9:52 PM

  install Microsoft Office, iWork or LibreOffice on your Mac

• How to keep a printer invisible to other part of network

  I share a cable modem line with a suite mate (professional office). my equipment is plugged into my switch, and the switch is also receiving a feed from the cable modem. When my suite-mate had someone print some work, that work went to my printer instead of the suite-mate's printer. How do I make sure that my printer never appears as an available option? I am using Mac OS 10.7.5 and the suite-mate is using Windows XP through WIndows 8. In fact, this situation is a cause for concern, because we both need to assure that no other parties can wander into and through our files. This isn't the first time this has happened.

  At its simplest, you'll partition your network.  That can be via a managed switch with vLAN support, or by connecting up an IP router which will inherently block the typical Bonjour traffic — which is likely how the printer is being detected here — or via a firewall connected at the cable modem and particularly that has support for multiple network segments and run those to the different areas (which will keep the networks quite separate). 
  Of these, the latter probably most closely meets your needs; the firewall.  Particularly because that can be configured to block other traffic between the LANs; more than just the Bonjour chatter will be blocked.  Locally, I'm using various ZyXEL ZYWALL USG series firewalls, which does have support for multiple local networks (two LANs plus a DMZ are common on various of the low- to mid-range models).  (I've not tried the USG without NAT, but the device does have options to do that.)
  You don't want to have two devices both doing NAT here, so either disable NAT at the cable modem and use a firewall that does NAT, or — if you can't switch the cable modem into its bridge mode, or the modem doesn't support bridging — then you'll have to avoid allowing any NAT at your firewall.

• PIX 515 & Zywall Site to Site VPN

  I would like to setup IPSEC Tunnel Between PIX and Zywall 70
  Tunnel can't be established. :(
  When I check the log, it stops after return [return status is IKMP_NO_ERR_NO_TRANS]
  What's wrong?
  Would you mind to help me to fix it?

  MY PIX Config

• 2851 router vpn to 851 router lan clients cannot ping

  Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
  Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
  851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
  The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
  The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
  I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
  The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
  From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
  To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
  This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
  So some stripped-down configs:
  For the 2851:
  no service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router2851
  boot-start-marker
  boot-end-marker
  no logging buffered
  no logging console
  enable password mypassword2
  no aaa new-model
  dot11 syslog
  no ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 172.20.0.1 172.20.6.1
  ip dhcp excluded-address 172.20.6.254 172.20.15.254
  ip dhcp pool Internal_2000
     import all
     network 172.20.0.0 255.255.240.0
     domain-name myseconddomain.int
     default-router 172.20.0.1
     lease 7
  no ip domain lookup
  multilink bundle-name authenticated
  voice-card 0
   no dspfarm
  crypto pki <<truncated>>
  crypto pki certificate chain TP-self-signed-2995823027
   <<truncated>>
        quit
  username myusername privilege 15 password 0 mypassword2
  archive
   log config
    hidekeys
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp key mysharedkey address 216.53.254.aaa
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
   description Tunnel to216.53.254.aaa
   set peer 216.53.254.aaa
   set transform-set ESP-3DES-SHA
   match address 100
  interface GigabitEthernet0/0
   description $ETH-WAN$
   ip address 216.189.223.bbb 255.255.255.192
   ip nat outside
   ip virtual-reassembly
   duplex auto
   speed auto
   crypto map SDM_CMAP_1
   no shut
  interface GigabitEthernet0/1
   description $FW_INSIDE$$ETH-LAN$
   ip address 172.20.0.1 255.255.240.0
   ip nat inside
   ip virtual-reassembly
   no ip route-cache
   duplex auto
   speed auto
   no mop enabled
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
  ip http server
  ip http authentication local
  ip http secure-server
  ip dns server
  ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 172.20.0.0 0.0.15.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
  access-list 101 permit ip 172.20.0.0 0.0.15.255 any
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  control-plane
  banner motd ~This is a private computer system for authorized use only. And Stuff~
  line con 0
  line aux 0
  line vty 0 4
   privilege level 15
   password mypassword
   login local
   transport input telnet ssh
  scheduler allocate 20000 1000
  end
  And for the 851:
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router851
  boot-start-marker
  boot-end-marker
  logging buffered 52000 debugging
  no logging console
  enable password mypassword
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  resource policy
  clock timezone PCTime -5
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ip dhcp use vrf connected
  ip dhcp excluded-address 172.21.1.1 172.21.1.100
  ip dhcp pool Internal_2101
     import all
     network 172.21.1.0 255.255.255.0
     default-router 172.21.1.1
     domain-name mydomain.int
     dns-server 172.21.1.10
     lease 4
  ip cef
  ip domain name mydomain.int
  ip name-server 172.21.1.10
  crypto pki <<truncated>>
  crypto pki certificate chain TP-self-signed-3077836316
   <<truncated>>
    quit
  username myusername privilege 15 password 0 mypassword2
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp key mysharedkey address 216.189.223.aaa
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
   description Tunnel to216.189.223.bbb
   set peer 216.189.223.bbb
   set transform-set ESP-3DES-SHA2
   match address 100
  bridge irb
  interface FastEthernet0
   spanning-tree portfast
  interface FastEthernet1
   spanning-tree portfast
  interface FastEthernet2
   spanning-tree portfast
  interface FastEthernet3
   spanning-tree portfast
  interface FastEthernet4
   description $ETH-WAN$
   ip address 216.53.254.aaa 255.255.254.0
   ip nat outside
   ip virtual-reassembly
   ip tcp adjust-mss 1460
   duplex auto
   speed auto
   no cdp enable
   crypto map SDM_CMAP_1
   no shut
  interface Vlan1
   description Internal Network
   no ip address
   ip nat inside
   ip virtual-reassembly
   bridge-group 1
   bridge-group 1 spanning-disabled
  interface BVI1
   description Bridge to Internal Network
   ip address 172.21.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly
  ip route 0.0.0.0 0.0.0.0 FastEthernet4
  ip route 172.21.1.0 255.255.255.0 BVI1
  ip http server
  ip http secure-server
  ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 172.21.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
  access-list 101 permit ip 172.21.1.0 0.0.0.255 any
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  control-plane
  bridge 1 route ip
  banner motd ~This is a private computer system for authorized use only. And Stuff.~
  line con 0
   password mypassword
   no modem enable
  line aux 0
  line vty 0 4
   password mypassword
  scheduler max-task-time 5000
  end
  Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
  I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
  Regards,
  Ted.

  Hi,
  First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
  Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
  1.In the RRAS server,Open Routing and Remote Access.
  2.Right-click the server name,then click
  properties.
  3.On the General tab,select
  IPv4 Router check box,and then click Local area network(LAN) routing only.
  Then,announce the 172.16.0.0 network to the router.
  To learn more details about enabling LAN routing, please refer to the link below,
  http://technet.microsoft.com/en-us/library/dd458974.aspx
  Best Regards,
  Tina

• [SRP527w] NAT Traversal not available in VPN options!!!

  Hi,
  I'm so disappointed to find such a light and incomplete VPN menu on the SRP527w.
  As a Cisco certified network engineer, I'm testing it because my company needs about twenty ADSL+ 3G Backup router, and Cisco seemed to offer the best solution.
  We need to build a VPN over 3G if the ADSL link fails. Unfortunately, 3G acces in France are routed through a wide private network before reaching the Internet. That's not a matter for one of our Zyxel routers, wich include the NAT Traversal (or NAT-T) feature. But with this Cisco, it's impossible to make the traffic go through the VPN.
  Please tell me that this feature will be included in the next firmware release!
  Regards,
  Gaultier

  Thank you for your lightning-fast answer!
  I downloaded the MR3 RC release, and... it works fine! My VPN is established over 3G.
  Thank you for the great job you did improving the capabilities of the SRP520... Hope there are much more useful features like that on your roadmap!
  Regards,
  Gaultier.

• Why does my L2TP VPN connection never really contact the server?

  To be clear, this configuration is not on my own Mac, but on one belonging to someone I serve with technical support.
  I am configuring an L2TP over IPSec VPN connection on a MacBook Pro. This connection is to a ZyXEL USG 300 and works successfully from my iPad. (I do not have my own OS X device from which I can test the connection.)
  To the best of my knowledge, I have entered all of the information that is needed for the connection. Yet when I try to connect, all I receive is an indication that the server did not respond. In the USG logs, there is no indication at all of there being even a connection attempt. In a Terminal session on the Mac (verbose logging is enabled), I read:
  L2TP connecting to server 'xx.xx.xxx.xx' (xx.xx.xxx.xx)...
  IPSec connection started
  IPSec connection failed
  It appears to me as if the connection never leaves the Mac and is prevented or stopped by some fault in the system. The firewall is turned off.
  What suggestions do you have for identifying the problem?

  That's weird but you should be able to manually install the update like this:
  #Download a fresh copy from [http://www.mozilla.org/en-US/firefox/all/ here] - direct link (https://download.mozilla.org/?product=firefox-28.0-SSL&os=osx&lang=en-US)
  #Install the new version. For details, see [[How to download and install Firefox on Mac]]
  Usually this fixes this issue with automatic updates. There will be new version available starting next Tuesday. The automatic update will happen sometime over the following week or so.
  Let me know how it goes.<br>
  Thanks,<br>
  Michael

• Zywall35 - Nokia - VPN Problem

  [quote]1 2013-01-13 14:15:04 Rule[VPN_von_unterwegs] receives duplicate packet IP Cell Phone Public IP Router IKE 2 2013-01-13 14:15:04 The cookie pair is : XXXXXX / XXXXXX IP Cell Phone Public IP Router IKE 3 2013-01-13 14:14:58 Rule[VPN_von_unterwegs] receives duplicate packet IP Cell Phone Public IP Router IKE 4 2013-01-13 14:14:58 The cookie pair is : XXXXXX / XXXXXX IP Cell Phone Public IP Router IKE 5 2013-01-13 14:14:53 Rule[VPN_von_unterwegs] receives duplicate packet IP Cell Phone Public IP Router IKE 6 2013-01-13 14:14:53 The cookie pair is : XXXXXX / XXXXXX IP Cell Phone Public IP Router IKE 7 2013-01-13 14:14:49 Rule[VPN_von_unterwegs] receives duplicate packet IP Cell Phone Public IP Router IKE 8 2013-01-13 14:14:49 The cookie pair is : XXXXXX / XXXXXX IP Cell Phone Public IP Router IKE 9 2013-01-13 14:14:38 Phase 1 IKE SA process done Public IP Router IP Cell Phone IKE 10 2013-01-13 14:14:38 The cookie pair is : XXXXXX / XXXXXX Public IP Router IP Cell Phone IKE 11 2013-01-13 14:14:38 Send:[ID][HASH][NOTFY:INIT_CONTACT] Public IP Router IP Cell Phone IKE 12 2013-01-13 14:14:38 The cookie pair is : XXXXXX / XXXXXX Public IP Router IP Cell Phone IKE 13 2013-01-13 14:14:38 Recv:[ID][HASH][NOTFY:INIT_CONTACT] IP Cell Phone Public IP Router IKE 14 2013-01-13 14:14:38 The cookie pair is : XXXXXX / XXXXXX IP Cell Phone Public IP Router IKE 15 2013-01-13 14:14:38 Send:[KE][NONCE] Public IP Router IP Cell Phone IKE 16 2013-01-13 14:14:38 The cookie pair is : XXXXXX / XXXXXX Public IP Router IP Cell Phone IKE 17 2013-01-13 14:14:38 Recv:[KE][NONCE][VID] IP Cell Phone Public IP Router IKE 18 2013-01-13 14:14:38 The cookie pair is : XXXXXX / XXXXXX IP Cell Phone Public IP Router IKE 19 2013-01-13 14:14:37 Send:[SA][VID][VID] Public IP Router IP Cell Phone IKE 20 2013-01-13 14:14:37 The cookie pair is : XXXXXX / XXXXXX Public IP Router IP Cell Phone IKE 21 2013-01-13 14:14:37 Recv:[SA][VID][VID][VID][VID][VID] IP Cell Phone Public IP Router IKE 22 2013-01-13 14:14:37 The cookie pair is : XXXXXX / XXXXXX IP Cell Phone Public IP Router IKE 23 2013-01-13 14:14:37 Recv Main Mode request from [IP Cell Phone] IP Cell Phone Public IP Router IKE 24 2013-01-13 14:14:37 Rule [VPN_von_unterwegs] Receiving IKE request IP Cell Phone Public IP Router IKE 25 2013-01-13 14:14:37 The cookie pair is : XXXXXX / XXXXXX IP Cell Phone Public IP Router IKE[/quote] i dont know what is wrong...

  As discussed on Telefon-Treff.de, your VPN router lacks proper debugging output. Furthermore you are hesitate to change your existing setup, aren’t you? That makes it difficult to help, especially because one needs both your devices: a Nokia Symbian/S60 and a ZyXEL VPN router. Have you asked on a ZyXEL related discussion board? Yes, you have.
  You have to try-and-error. IPSec is complicated because there are different naming conventions AND sometimes translation issues. For the start you have to break the compatibility with your existing devices and go for extensible authentication (XAUTH, Edit Gateway Policy).
  Alternatively, you could go for an consultant in your vicinity. he will take several thousand euros. And he will tell you: Go for a VPN router which has proven support and guides with/for Nokia Symbian devices. Reason: It could be a single bug, a single bit which could prevent this device combination to work with each other.
  In your case, I would start a new thread at Telefon-Treff.de because German is your native language. There, I would post the settings of "Edit Gateway Policy", because without those, we are not able to match your Nokia Policy file.

• VPN s2s tunnel after PAT and NAT on non-cisco

  hello!
  I have cisco 1711. on LAN there is ZYXEL firewall. I have tried to establish s2s tunnel betwenn this LAN zyxel and other Zyxel on the other side with WAN.
  cisco:
  interface Serial0
  description Polaczenie do Internetu$FW_OUTSIDE$
  bandwidth 2048
  ip address 80.50.92.xxx 255.255.255.252
  ip nat pool PAT 213.77.105.248 213.77.105.252 prefix-length 29
  ip nat inside source static 192.168.0.199 213.77.105.xxx extendable
  ZYXEL is LAN 192.168.0.199 and NATed to 213.77.105.xxx
  my qestion is:
  is there posibility to establish s2s tunnel with host that in LAN has NATed to WAN address as above?

  So you're saying that your configuration is :
  Zyxel (LAN ) -> 1711 -> Zyxel (WAN ) and you want to establish a l2l VPN tunnel between the LAN and WAN Zyxel firewalls and you're NATting the LAN Zyxel firewall to a WAN address?
  If yes, then your answer is : Yes you can do a VPN but using NAT-Traversal. It's a technology where the IKE ports of the initiator and the responder are changed from their default value of 500 to 4500 in order to support NAT devices working in-between the VPN. If your Zyxel firewall supports NAT-T then there's a good chance this will work