Site-to-site VPN and L2TP VPN access

Options
virtuOS
virtuOS Posts: 11
Friend Collector First Comment
edited April 2021 in Security
Hello,

We actually have a site-to-site VPN between us and a customer site. 
This customer would like to access the datas (on our infrastructure) and on the printer (on the customer site). 

Then, we actually have a site-to-site VPN between us (ZyWall310) and the customer site (USG20).
We created a l2tp vpn that goes directly to the customer site. But, can i give access to datas through the l2tp connexion and ghrough the site-to-site vpn ? You can have a graphical explanation in attachement.

Thanks a lot for your help. 

Best regards

Accepted Solution

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Answer ✓
    Options
    Hi @virtuOs,

    Can you allow 192.168.10.0/24 subnet to be pinged from 192.168.149.0/24 subnet by creating the rule on USG310?

    (Configuration > Security Policy > Policy Control > Add )



    If that doesn't solve your issue, can you provide me temporary admin account both for USG20 and USG310 by private message for this case?
«1

All Replies

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2021
    Options
    Laptop should now where DATAS is and how to reach it (route).
    Then there should be firewall rules from USG20 for allowing traffic.
    FInally Zywall 310 should know that L2TP exists and how to reach it (route) also with rules for allowing only traffic you need.

    Otherwise, DATAS should know how to reach printer on USG20 site and L2TP should be realized between Zywall and Laptop.
  • virtuOS
    virtuOS Posts: 11
    Friend Collector First Comment
    Options
    Hi,
    Ok. Then i just need to create a route that redirect the traffic from customer site to the site-to-site ? 
    How can i do that ?

    Thank in advance for your help 
  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Can you try with the laptop no connected to the VPN USG20?

    Likely just some routeing rules and firewall rules thats needed check your logs.


  • virtuOS
    virtuOS Posts: 11
    Friend Collector First Comment
    Options
    The laptop need to be connected... Otherwise, it can't working.... Sorry, i think i didn't understand....
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Options

    Hi @virtuOS,

     

    If you set up your IPSec and L2TP VPNs already, you will just need Policy routes as following;

     

    1-    For Customer Site;

    Suppose that DATA Server is under 192.168.30.0/24 subnet.

    We create a Policy Route For L2TP VPN.


    2-    On your site;
    When L2TP tunnel users initiate a session, it needs to respond with following Policy route;


    Best regards.
  • virtuOS
    virtuOS Posts: 11
    Friend Collector First Comment
    Options
    Hi @Zyxel_Can,

    Thanks a lot for your help.

    I try what you said but i receive an error :-1:

    error
    IPSec
    SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping ICMP(8:0) packet [count=2]

    I searched on the forum and i found that : Usg 50 3.30(BDS.9) cannot connect using VPN L2TP IPSEC — Zyxel Community
    This operation is perhaps not allowed on the ZywallUSG20 ? What do you think ?

    Thank a lot for your help 
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Options

    Hi @virtuOS,

     

    In our labs I created following setup. Please take as reference.


    In USG20 I created following policy:



    In Server’s gateway I created the following Policy Rule:



    If you created VPNs(L2TP and IPSec VPN Site to Site) already all you need is to apply these two policy rule.



    Can you also try to upgrade ZyWALL USG20’s firmware to latest version ?

     https://community.zyxel.com/en/discussion/4247/zywall-usg-series-v3-30p9-wk48-firmware-released#latest


  • virtuOS
    virtuOS Posts: 11
    Friend Collector First Comment
    Options
    Hi @Zyxel_Can,

    Thanks a lot for your help. I configured all like you say but it don't work.

    I receive the same log : SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping ICMP(8:0) packet [count=2]

    Here my config :
    On the USG20 :

    FELIX_SUBNET : Lan of the Zywall310

    The firmware :



    On the 310 : 


    P2_LAN_FBSA = Lan 1 on the Zywall310

    FLV_L2TP_SUBNET = 192.168.149.0/24 (L2TP subnet of the USG20)

    Do you think i do something wrong ?

    Thank in advance for your help

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Options
    Hi @virtuOS,

    In the screenshots for USG20, I see that Next-Hop was choosen as Default_L2TP_VPN_Connection.

    Can you try to replace Next-Hop's VPN Tunnel to USG20's and ZyWALL310's Site-to-site VPN Object?

  • virtuOS
    virtuOS Posts: 11
    Friend Collector First Comment
    Options
    Hi @Zyxel_Can,

    Thanks a lot for your help.

    I tried changing the Next-Hop vpn Tunnel but i receive the same error :

    I don't understand why... Did you have an idea ?

    Best regards

Security Highlight