Policy routing for L2TP VPN

Hello Zyxel community,

I have following site-to-site VPN configuration to service providers premises:

USG60 ----> ipsec site-to-site VPN (snat with public IP/32) <-----| Firewall -- service providers RDP server 80.x.x.x/32

Service provider doesn't want to use private IP-addresses in VPN connection so we had to use SNAT (with public IP) to hide internal LAN network. Everything is working perfectly, but
now some user want to have L2TP VPN from home and access to service providers RDP server (it has public IP-address even it's not accessible directly from Internet) via VPN. I  
tried to make policy routing rules, but I can't get connection working from L2TP VPN connnection through to site-to-site VPN to RDP server. I'm wondering is it SNAT in site-to-site connection
causing the problem?!

Can anyone give some advise how to start solve the problem?

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2021

    Just a quick check

    Users connecting to L2TP VPN must not use a LAN subnet that matches USG60 or L2TP VPN IP pool.

    Are you doing this Fake_Subnet for site to site? as it complicates things

    https://mysupport.zyxel.com/hc/en-us/articles/360003321659--ZyWALL-USG-How-to-configure-VPN-SNAT-on-Zyxel-gateways)


  • miktuo
    miktuo Posts: 3
    edited September 2021
    PeterUK said:

    Just a quick check

    Users connecting to L2TP VPN must not use a LAN subnet that matches USG60 or L2TP VPN IP pool.

    Are you doing this Fake_Subnet for site to site? as it complicates things

    https://mysupport.zyxel.com/hc/en-us/articles/360003321659--ZyWALL-USG-How-to-configure-VPN-SNAT-on-Zyxel-gateways)


    Hi PeterUK,


    Like I said site-to-site Ipsec VPN connection is working fine and here is some information of site-to-site and L2TP VPN connections:

    Lan network: 172.32.x.0/24

    L2TP network: 10.100.99.0/24


    site-to-site network configuration:

    I have seen this "fake subnet Zyxel how-to article". Snat is done exactly like in this article, but we don't use any private subnet. We have one public IP-address with 32bit mask. 

    VPN Gateway: service providers FW address 

    POLICY:

    Local policy: public ip-address with /32 mask (our isp provided this)

    Remote policy: service providers RDP server 80.248.x.x/32


    RELATED SETTINGS:

    Zone: Ipsec_VPN


    INBOUND/OUTBOUND traffic NAT


    Outbound traffic:

    Source: Lan network 172.32.x.0/24

    Destination: service providers RDP server 80.248.x.x/32

    SNAT: Public ip-address with /32 mask (our isp provided this)


    Destination NAT:

    Orginal: IP: public ip-address with /32 mask (our isp provided this)

    Mapped IP: LAN subnet

    Orginal IP: public ip-address with /32 mask (our isp provided this)

    Mapped IP: L2TP network











  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2021

    My setup here works but have not tested with INBOUND/OUTBOUND traffic NAT settings that complicates things.

    Your routing rule should be incoming L2TPVPNWAN (L2TP VPN) and next hop site-to-site TuneltoZywall110 (my zone name)

    You need a policy rule from IPSec_VPN to GwtoZywall110

    Shouldn't your Local policy be your Lan network: 172.32.x.0/24 


  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2021
    miktuo said:
    Outbound traffic:

    Source: Lan network 172.32.x.0/24

    Destination: service providers RDP server 80.248.x.x/32

    SNAT: Public ip-address with /32 mask (our isp provided this)


    So I tried to SNAT with my WAN IP and it didn't work for me unless you have two WAN IP's as one would be in use for your connection. I can use any other IP I want for SNAT.  was testing wrong it does work

    From testing here having a L2TP VPN go down a tunnel will not SNAT using INBOUND/OUTBOUND traffic NAT. 

    However if you make another tunnel with Local policy 10.100.99.0/24 Remote policy: service providers RDP server 80.248.x.x/32 then it should work.


  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2021

    I think I have setup your config here for testing and you can't SNAT L2TP VPN down the tunnel you can setup the other tunnel for L2TP VPN to go down the tunnel but with Source IPs of 172.32.x.0/24 and thats without needing a routing rule.

    OR if the Service provider doesn't want to use private IP-addresses you can lie on the IP pool of the L2TP VPN with WAN looking IP's.


  • PeterUK said:

    I think I have setup your config here for testing and you can't SNAT L2TP VPN down the tunnel you can setup the other tunnel for L2TP VPN to go down the tunnel but with Source IPs of 172.32.x.0/24 and thats without needing a routing rule.

    OR if the Service provider doesn't want to use private IP-addresses you can lie on the IP pool of the L2TP VPN with WAN looking IP's.


    Thank you! I appreciate your help with this problem! I have to think about what to do next  :/
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited September 2021
    Hi @miktuo,

    Did you tick "Allow L2TP traffic Through WAN" for l2tp client in Remote Access VPN setup wizard? Please try it again with Full tunnel mode.
    1

Security Highlight