USG40 - VPN tunnel with virtual interface WAN IP

Hi, I am new to the forum and I need some help with my setup...

Running a USG40 with multiple WAN IPs and want to get the VPN tunnel to work with on of the IP adresses from the virtual interface.

Hardware:
Model Name:USG40
Firmware Upgrade Wizard:V4.65

WAN1: 1x static ip behind cable-modem (/28 subnet - other range than the following)
WAN1:1 several assignable ip adresses (/29 subnet)

using the virtual interface to use ONLY the 2 adresses from the /29 subnet
but USG gets the WAN1 IP adress via DHCP
WAN1:1 is assigned by myself (static)

created the objects (Hosts) and created the routing:
host_static_1
host_static_2
host_static_3

routing
LAN1 (/24) SNAT via host_static_1
SERVER (HOST) - also on LAN1, but SNAT host_static_2
SERVER2 (HOST) - also on LAN1, but SNAT host_static_3

(no VLAN, crappy config..)

thats working fine, BUT:
with the USG40 i cant get IPSec to work at all!

Before some days it worked with the WAN1 IP (dhcp assignment), but never with on the the IPs from the virtual interface.
Any Idea how can I get this to work properly?

Thank you

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @slaven

     

    Welcome to join Zyxel community :) .

    Is your USG40 behind the modem and you would like to use Virtual interface to create VPN connection?

    Which VPN topology you would like to create? Site-to-site VPN? or USG40 as a VPN server role?

    Thanks.

  • slaven
    slaven Posts: 2
    Hi, correct - cable modem.
    USG40 should work as VPN server.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @slaven

    According to your situation, please refer to the below labs:

    USG60W behind NAT as an L2TP VPN server role with the virtual interface WAN IP.

    Topology:

    The USG60W behind Zywall110 and USG60W as an L2TP VPN server role let PCs can create L2TP VPN connections to USG60W via the internet. There is a precondition that Zywall110 must set a NAT rule therefore PCs from the internet can connect to USG60W. Likewise, you need to set a NAT rule on your cable modem to make it can redirect traffic to your USG40.

    Zywall 110 NAT setting:



    BTW, must allow L2TP services (IKE, NATT, L2TP-UDP) can be forward, please refer to the below link:

    https://community.zyxel.com/en/discussion/675/how-do-i-configure-the-zywall-for-a-l2tp-server-behind-nat


    The USG60W setting:

     Interface setting:



    The USG60W's L2TP VPN Wizard setting:






    Verification result: L2TP VPN connections are successfully built from PCs.


    USG60W behind NAT as an SSL VPN server role with the virtual interface WAN IP.


    Topology:

    Zywall 110 need to set NAT rule and allow SSL VPN port service can forward to USG60W.

    You can refer to this forum discussion:

    https://community.zyxel.com/en/discussion/2139/ssl-vpn-behind-a-other-router


    The USG60W's SSL VPN settings:



    Please install SSL VPN client software on your PC.

    SSL VPN SecuExtender download link(the current version is SSL_VPN_Client_4.0.4.0)

    The SSL VPN client connect to the SSL VPN server.


    The SSL VPN client is connected.


    Verification result:  The SSL VPN connection is successfully built from the PC.


Security Highlight