Site-To-Site IPSec between StrongSwan and Zyxel NSG200

Question

I'm trying to initiate an IPSec connection (Site-to-Site) between a Debian 10 server with StrongSwan and a Nebula NSG200.

Let's assume:

• Debian server:
  • Public IP : 50.50.50.45
  • Private Network: 10.1.0.0/16
• Nebula NSG200:
  • Public IP : 100.100.100.123
  • Private Network : 10.40.0.0/24

But the authentication fail every time. I got the folowing messages in debian's logs.

I can't understand why the authentiaction failed !

...
charon: 13[NET] received packet: from 100.100.100.123[500] to 50.50.50.45[500] (480 bytes)
charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V ]
charon: 13[ENC] received unknown vendor ID: xx:xx:xx:xx:xx:...
charon: 13[ENC] received unknown vendor ID: yy:yy:yy:yy:yy:...
charon: 13[ENC] received unknown vendor ID: zz:zz:zz:zz:zz:...
charon: 13[IKE] 100.100.100.123 is initiating an IKE_SA
charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024
charon: 13[IKE] remote host is behind NAT
charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
charon: 13[NET] sending packet: from 50.50.50.45[500] to 100.100.100.123[500] (312 bytes)
charon: 14[NET] received packet: from 100.100.100.123[4500] to 50.50.50.45[4500] (320 bytes)
charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
charon: 14[IKE] received 1 cert requests for an unknown ca
charon: 14[CFG] looking for peer configs matching 50.50.50.45[%any]...100.100.100.123[10.0.1.250]
charon: 14[CFG] no matching peer config found
charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
charon: 14[NET] sending packet: from 50.50.50.45[4500] to 100.100.100.123[4500] (96 bytes)
...

StrongSwan side

/etc/ipsec.conf :

config setup
        charondebug="all"
        uniqueids=yes
conn deb-to-neb
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=100.100.100.123
        leftsubnet=10.40.0.1/24
        right=50.50.50.45
        rightsubnet=10.1.0.1/16
        ike=aes256-sha512-modp1024!
        esp=aes256-sha512!
        aggressive=yes
        keyingtries=%forever
        ikelifetime=86400s
        lifetime=3600s
        dpdaction=restart

/etc/ipsec.secrets :

100.100.100.123 50.50.50.45 : PSK "MySuperSecret"
50.50.50.45 100.100.100.123 : PSK "MySuperSecret"

Nebula side

Screen Nebula Config

• Phase 1
  • IKE version : IKEv2
  • Encryption : AES256
  • Authentication : SHA512
  • Diffie-Hellman Group : DH2
  • Lifetime (seconds) : 86400
• Phase 2 (Set 1)
  • Encryption : AES256
  • Authentication : SHA512
  • PFS Group : DH2
  • Lifetime (seconds) : 3600

Answer 1

It's not an authentication error, the problem is that your configuration doesn't match:

charon: 14[CFG] looking for peer configs matching 50.50.50.45[%any]...100.100.100.123[10.0.1.250]
charon: 14[CFG] no matching peer config found

In particular, the remote identity. Because you haven't configured rightid, it defaults to the remote IP address (100.100.100.123), but that does not match the identity the peer sends (10.0.1.250). Since changing the identity on the peer does not seem to be an option (based on that screenshot), try configuring rightid=10.0.1.250.

Answer 2

I got this to work, but for some reason i cannot ping my Zyxel LAN from where my StrongSwan is hosted. I am able to ping and access network resources through my Zyxel LAN network to my StrongSwan VPN client/network as well as ping. Am I missing something? Please advise.