Site-to-site VPN and L2TP VPN access

virtuOS
virtuOS Posts: 11
First Comment Friend Collector
edited April 2021 in Security
Hello,

We actually have a site-to-site VPN between us and a customer site. 
This customer would like to access the datas (on our infrastructure) and on the printer (on the customer site). 

Then, we actually have a site-to-site VPN between us (ZyWall310) and the customer site (USG20).
We created a l2tp vpn that goes directly to the customer site. But, can i give access to datas through the l2tp connexion and ghrough the site-to-site vpn ? You can have a graphical explanation in attachement.

Thanks a lot for your help. 

Best regards

Accepted Solution

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector
    Answer ✓
    Hi @virtuOs,

    Can you allow 192.168.10.0/24 subnet to be pinged from 192.168.149.0/24 subnet by creating the rule on USG310?

    (Configuration > Security Policy > Policy Control > Add )



    If that doesn't solve your issue, can you provide me temporary admin account both for USG20 and USG310 by private message for this case?
«1

All Replies

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited April 2021
    Laptop should now where DATAS is and how to reach it (route).
    Then there should be firewall rules from USG20 for allowing traffic.
    FInally Zywall 310 should know that L2TP exists and how to reach it (route) also with rules for allowing only traffic you need.

    Otherwise, DATAS should know how to reach printer on USG20 site and L2TP should be realized between Zywall and Laptop.
  • virtuOS
    virtuOS Posts: 11
    First Comment Friend Collector
    Hi,
    Ok. Then i just need to create a route that redirect the traffic from customer site to the site-to-site ? 
    How can i do that ?

    Thank in advance for your help 
  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Can you try with the laptop no connected to the VPN USG20?

    Likely just some routeing rules and firewall rules thats needed check your logs.


  • virtuOS
    virtuOS Posts: 11
    First Comment Friend Collector
    The laptop need to be connected... Otherwise, it can't working.... Sorry, i think i didn't understand....
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @virtuOS,

     

    If you set up your IPSec and L2TP VPNs already, you will just need Policy routes as following;

     

    1-    For Customer Site;

    Suppose that DATA Server is under 192.168.30.0/24 subnet.

    We create a Policy Route For L2TP VPN.


    2-    On your site;
    When L2TP tunnel users initiate a session, it needs to respond with following Policy route;


    Best regards.
  • virtuOS
    virtuOS Posts: 11
    First Comment Friend Collector
    Hi @Zyxel_Can,

    Thanks a lot for your help.

    I try what you said but i receive an error :-1:

    error
    IPSec
    SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping ICMP(8:0) packet [count=2]

    I searched on the forum and i found that : Usg 50 3.30(BDS.9) cannot connect using VPN L2TP IPSEC — Zyxel Community
    This operation is perhaps not allowed on the ZywallUSG20 ? What do you think ?

    Thank a lot for your help 
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @virtuOS,

     

    In our labs I created following setup. Please take as reference.


    In USG20 I created following policy:



    In Server’s gateway I created the following Policy Rule:



    If you created VPNs(L2TP and IPSec VPN Site to Site) already all you need is to apply these two policy rule.



    Can you also try to upgrade ZyWALL USG20’s firmware to latest version ?

     https://community.zyxel.com/en/discussion/4247/zywall-usg-series-v3-30p9-wk48-firmware-released#latest


  • virtuOS
    virtuOS Posts: 11
    First Comment Friend Collector
    Hi @Zyxel_Can,

    Thanks a lot for your help. I configured all like you say but it don't work.

    I receive the same log : SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping ICMP(8:0) packet [count=2]

    Here my config :
    On the USG20 :

    FELIX_SUBNET : Lan of the Zywall310

    The firmware :



    On the 310 : 


    P2_LAN_FBSA = Lan 1 on the Zywall310

    FLV_L2TP_SUBNET = 192.168.149.0/24 (L2TP subnet of the USG20)

    Do you think i do something wrong ?

    Thank in advance for your help

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector
    Hi @virtuOS,

    In the screenshots for USG20, I see that Next-Hop was choosen as Default_L2TP_VPN_Connection.

    Can you try to replace Next-Hop's VPN Tunnel to USG20's and ZyWALL310's Site-to-site VPN Object?

  • virtuOS
    virtuOS Posts: 11
    First Comment Friend Collector
    Hi @Zyxel_Can,

    Thanks a lot for your help.

    I tried changing the Next-Hop vpn Tunnel but i receive the same error :

    I don't understand why... Did you have an idea ?

    Best regards

Security Highlight