Using different certificates for different IpSec VPN Connections (Remote access - server role) that

phphil
phphil Posts: 31  Freshman Member
First Anniversary First Comment
edited April 2021 in Security
Dear everybody, 

We are facing the following issue on the USG 210: 

The clients that connects to our VPN mainly uses windows 10, we have correctly setup vpn using the native windows 10 VPN client, every one using the same certificate and the same VPN Connection and gateway. 

We would now enhance security by creating a single VPN Connection + VPN gateway + unique certificate for each client Labtop. This setup would allow us to just disable the interested VPN Connection, without affecting the other clients in the case the Labtop get lost, stolen, or compromised.

We have a single static ip address on the edge router, so I initially tried to just use the same destination ip address, creating the VPN connection on windows native client providing a different and unique certificate. The connection fail returning the following error: 

13801: IKE authentication credentials are unacceptable.

Watching at the USG logs it seems to me that the authentication fail because it check against the first VPN Gateway that match the gateway interface address. So the fact that each VPN connection use the same gateway interface address, but a unique certificate, will make all clients auth fail except one. 

I have tried to workaround this by using unique domain names (that point to the same ip address sure), but the issues does not change. The USG logs are pretty clear, and show that the destination (dst) used is still the ip address and not the domain name which could differentiate the request. It also highlight that the auth is against the wrong VPN gateway, and that's why it is rejected I think. trimmed log: 

Feb 13 17:07:58 usg210 CEF: 0|ZyXEL|USG210|4.32(AAPI.0)|0|Access Control|9|src=194.240.xxx.xxx dst=79.xxx.xxx.59 spt=1011 dpt=500 msg=priority:48, from WAN to ZyWALL, UDP, service Default_Allow_WAN_To_ZyWALL, ACCEPT proto=17 app=Default_Allow_W
...
Feb 13 17:08:30 usg210 CEF: 0|ZyXEL|USG210||0|IKE|4|src=79.xxx.xxx.59 dst=194.240.xxx.xxx spt=4500 dpt=4500 msg=IKE SA [The-First-VPN-Gateway-That-Matches-dst] is disconnected



Is there a way to achieve what we are seeking for? 
It would be great because, it would not only solve this issue for us, but also one other important, diversificate the permissions for each VPN client (eg. userA can access only the LAN1, userB can access LAN1 LAN2 ecc.)


Thank you for the attention , and for any help

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @phphil
    Regarding to this case,
    the scenario cannot be supported if you self-sign the certificate from USG, since only one certificate can be selected on VPN page.

    Or you updated the certificate which is from third party?
    Charlie
  • phphil
    phphil Posts: 31  Freshman Member
    First Anniversary First Comment
    edited February 2019
    I agree with you, only one certificate per VPN gateway can be selected, but our try was slightly different, it was to create a new VPN gateway with it's own certificate and it's own new VPN Connection too, for each client. Introducing kind of redundancy/repetition, but should have allowed us to achieve the result, but it did not. 

    Would the use of "real" certificates allowing us to do it? 

    Thank you for you reply
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @phphil
    If the one certificate with one vpn tunnel, this scenario could be working.
    Can I know the certificate which you sign from USG?
    Charlie
  • phphil
    phphil Posts: 31  Freshman Member
    First Anniversary First Comment
    edited February 2019
    For sure, if it can help, there it is the screenshots of a dimostrative certificate, it uses the same parameters as the ones actually in use: 



    ---



    The plan is to use a different domain name for each Laptop client eg.:
    example1.dyndns.org
    example2.dyndns.org
    example3.dyndns.org
    all of them pointing to the same ipaddress, since we have only one external static ip address. 

    I believe the whole point in this, is that the incoming requests for establish the VPN tunnel does not use the custom domainName, but it traslate it into the external ip address. This cause the USG to missunderstand which VPN tunnel check agains, is like it check against the wrong VPN tunnel(the first that match the ip address) and the result is that the given certificate does not match the one defined into the VPN Gateway. 

    What do you think? : )
  • phphil
    phphil Posts: 31  Freshman Member
    First Anniversary First Comment
    Any clue about this ? : ) 
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @phphil
    Regarding to this case,
    the scenario is remote access-server role, and all VPN rules use the same external Wan IP address, therefore, you need to configure different encryption, authentication or Key group to distinguish each VPN tunnel.

    Charlie

Security Highlight