https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Zyxel-USG110/m-p/92880#M10776 <P>Hi,</P><P>many thanks for your reply.</P><P><SPAN>Even with VPN Tunnel Sharing to "pair of hosts" didn't work. the discuss you share give some hints to solve this issue.</SPAN></P><P><SPAN>After change IKE v2 to IKE v1 on&nbsp;&nbsp;Zyxel all tunnels get up and the traffic works fine.&nbsp;</SPAN></P><P><SPAN>Once again, thank you very much.</SPAN></P> Thu, 30 Jul 2020 15:13:49 GMT HS 2020-07-30T15:13:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Zyxel-USG110/m-p/92519#M10774 <P>Hi,</P><P>we are facing some difficult to establish a IPSEC VPN&nbsp; with&nbsp;Zyxel USG110 and our Checkpoint R80.20.</P><P>We have 3 networks (encryption domain) on IPSEC VPN but it is random just one of the network is active.&nbsp;</P><P>For some point&nbsp;Zyxel USG110 has just one of the 3 networks active and it is random.&nbsp;</P><P>If we just configure one network works fine, but if we add one more network one of them will be down and it is&nbsp; random.</P><P>Checkpoint logs we have just this reject:</P><P>IKE: Child SA exchange: Sending notification to peer: Invalid Key Exchange payload</P><P>IKE Category:&nbsp;Reject Category</P><P>The source is from&nbsp;Zyxel USG110 to our checkpoint.&nbsp;</P><P>Tunnel management: "One VPN Tunnel per subnet pair" pair changed to&nbsp;"One VPN Tunnel per gateway pair" . The behavior it's the same.</P><P>&nbsp;</P><P>on a dump i get&nbsp;NONESP-encap: isakmp: phase 2/others ? #36[]</P><P>looks like the traffic it is not being encapsulated ?</P><P>Do you have any idea what could be missing from Checkpoint configuration ?</P> Mon, 27 Jul 2020 12:21:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Zyxel-USG110/m-p/92519#M10774 HS 2020-07-27T12:21:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Zyxel-USG110/m-p/92544#M10775 <P>Try setting VPN Tunnel Sharing to "pair of hosts".&nbsp; Does the VPN fail completely after a policy install and any existing tunnels are reset on both sides?&nbsp; If so you have Phase 2 Proxy-ID/subnet issues which the Zyxel is very picky about, see here:</P> <P><A href="https://community.checkpoint.com/t5/General-Topics/IKE-Failure-on-Site-to-site-IPSec-VPN-with-Zyxel-USG-open-for/m-p/86227" target="_blank">https://community.checkpoint.com/t5/General-Topics/IKE-Failure-on-Site-to-site-IPSec-VPN-with-Zyxel-USG-open-for/m-p/86227</A></P> <P>&nbsp;</P> Mon, 27 Jul 2020 16:28:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Zyxel-USG110/m-p/92544#M10775 Timothy_Hall 2020-07-27T16:28:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Zyxel-USG110/m-p/92880#M10776 <P>Hi,</P><P>many thanks for your reply.</P><P><SPAN>Even with VPN Tunnel Sharing to "pair of hosts" didn't work. the discuss you share give some hints to solve this issue.</SPAN></P><P><SPAN>After change IKE v2 to IKE v1 on&nbsp;&nbsp;Zyxel all tunnels get up and the traffic works fine.&nbsp;</SPAN></P><P><SPAN>Once again, thank you very much.</SPAN></P> Thu, 30 Jul 2020 15:13:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Zyxel-USG110/m-p/92880#M10776 HS 2020-07-30T15:13:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Zyxel-USG110/m-p/92882#M10777 <P>Yeah unfortunately interoperability between vendors is still pretty spotty with IKEv2, seen issues like this many many times.&nbsp; It took IKEv1 seemingly about 10 years to work properly between all the vendors, so my advice when setting up an interoperable VPN is to give IKEv2 a shot, and if there are any problems do not hesitate to go back to IKEv1.</P> Thu, 30 Jul 2020 15:25:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Zyxel-USG110/m-p/92882#M10777 Timothy_Hall 2020-07-30T15:25:41Z