Policy routing for L2TP VPN
All Replies
-
Just a quick check
Users connecting to L2TP VPN must not use a LAN subnet that matches USG60 or L2TP VPN IP pool.
Are you doing this Fake_Subnet for site to site? as it complicates things
0 -
PeterUK said:
Just a quick check
Users connecting to L2TP VPN must not use a LAN subnet that matches USG60 or L2TP VPN IP pool.
Are you doing this Fake_Subnet for site to site? as it complicates things
Hi PeterUK,
Like I said site-to-site Ipsec VPN connection is working fine and here is some information of site-to-site and L2TP VPN connections:
Lan network: 172.32.x.0/24
L2TP network: 10.100.99.0/24
site-to-site network configuration:
I have seen this "fake subnet Zyxel how-to article". Snat is done exactly like in this article, but we don't use any private subnet. We have one public IP-address with 32bit mask.
VPN Gateway: service providers FW address
POLICY:
Local policy: public ip-address with /32 mask (our isp provided this)
Remote policy: service providers RDP server 80.248.x.x/32
RELATED SETTINGS:
Zone: Ipsec_VPN
INBOUND/OUTBOUND traffic NAT
Outbound traffic:
Source: Lan network 172.32.x.0/24
Destination: service providers RDP server 80.248.x.x/32
SNAT: Public ip-address with /32 mask (our isp provided this)
Destination NAT:
Orginal: IP: public ip-address with /32 mask (our isp provided this)
Mapped IP: LAN subnet
Orginal IP: public ip-address with /32 mask (our isp provided this)
Mapped IP: L2TP network
0 -
My setup here works but have not tested with INBOUND/OUTBOUND traffic NAT settings that complicates things.
Your routing rule should be incoming L2TPVPNWAN (L2TP VPN) and next hop site-to-site TuneltoZywall110 (my zone name)
You need a policy rule from IPSec_VPN to GwtoZywall110
Shouldn't your Local policy be your Lan network: 172.32.x.0/24
0 -
miktuo said:Outbound traffic:
Source: Lan network 172.32.x.0/24
Destination: service providers RDP server 80.248.x.x/32
SNAT: Public ip-address with /32 mask (our isp provided this)
From testing here having a L2TP VPN go down a tunnel will not SNAT using INBOUND/OUTBOUND traffic NAT.
However if you make another tunnel with Local policy 10.100.99.0/24 Remote policy: service providers RDP server 80.248.x.x/32 then it should work.0 -
I think I have setup your config here for testing and you can't SNAT L2TP VPN down the tunnel you can setup the other tunnel for L2TP VPN to go down the tunnel but with Source IPs of 172.32.x.0/24 and thats without needing a routing rule.
OR if the Service provider doesn't want to use private IP-addresses you can lie on the IP pool of the L2TP VPN with WAN looking IP's.
0 -
PeterUK said:
I think I have setup your config here for testing and you can't SNAT L2TP VPN down the tunnel you can setup the other tunnel for L2TP VPN to go down the tunnel but with Source IPs of 172.32.x.0/24 and thats without needing a routing rule.
OR if the Service provider doesn't want to use private IP-addresses you can lie on the IP pool of the L2TP VPN with WAN looking IP's.
0 -
Hi @miktuo,
Did you tick "Allow L2TP traffic Through WAN" for l2tp client in Remote Access VPN setup wizard? Please try it again with Full tunnel mode.
1
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight