- Cisco Employee,
I am trying to create an IPsec tunnel between a ZyXEL ZyWALL P1 hardware firewall and an ASA 5510, OS version 8.0(2). Both parties should authenticate themselves using only PKI X.509 certificates without any XAUTH authentication.
The current configuration of the ASA permits software Cisco VPN Clients to connect without any problems. However, when I try to connect the ZyWALL, the ASA complains about the "peer is not authenticated by xauth - drop connection" and it indeed drops the connection. This puzzles me, as both the hardware ZyWALL and software clients are handled by the same tunnel group in which the XAUTH is deactivated using the command "isakmp ikev1-user-authentication none". My goal, obviously, is to configure the ASA in such a way that it will be possible to create an IPsec tunnel between the ZyWALL and the ASA authenticated using the certificates only, without the XAUTH.
The ZyWALL does not seem to support the MODE configuration. I do not know if this is a noteworthy fact but I am including it for the sake of completeness.
I am enclosing the relevant snippets of the configuration and the output of the debug crypto isakmp 127 command. A short explanation of the various addresses seen in the debug output:
- 22.214.171.124/24 is the public segment in the lab where the ZyWALL appliance is being tested
- 192.168.167.0/24 is the private segment behind the ZyWALL appliance (its "LAN" interface)
- 172.27.137.0/24 is the private segment behind ASA to which clients gain access via IPsec
I am most grateful for all guidance you can give me!
Re routing stuff:
Cna you give it a try?
8.0.2 is ANCIENT consider 8.0.5 if above does not work.
Well I needed to re-read a big part of your email.
I understand that you essentially want your zyxel firewall to act as a ezvpn clinet (note that it DOES NOT send unity tag in MM1) and not a l2l tunnel.
Group = TG-RAIS, Username = Peter Paluch VPN, IP = 126.96.36.199, processing hash payload
Is that username configured anywhere on the zyxel firewall?