How do I get a VPN so I can connect to my LAN from my iphone while out and about?

zyxelusg60
Posts: 7

in Security
Hi all
USG60 unit here. I've previously setup a OPEN VPN and PFSENSE to allow my to connect into my LAN and access web servers I have running internally.
How can I replicate this same functionality with the USG 60. It seems I hae to use IPSEC and L2TP but all docs I can find talk about site to site setup. I don'tr see how this applies to my iphone / laptop.
i followed this guide http://www.zyxel.se/upload/doc/support/usg/iPhone Whitepaper.pdf
but it seems a little out of date and I get an error saying failed to connect.
any docs would be useful thanks
USG60 unit here. I've previously setup a OPEN VPN and PFSENSE to allow my to connect into my LAN and access web servers I have running internally.
How can I replicate this same functionality with the USG 60. It seems I hae to use IPSEC and L2TP but all docs I can find talk about site to site setup. I don'tr see how this applies to my iphone / laptop.
i followed this guide http://www.zyxel.se/upload/doc/support/usg/iPhone Whitepaper.pdf
but it seems a little out of date and I get an error saying failed to connect.
any docs would be useful thanks
0
All Replies
-
zyxelusg60 said:
How can I replicate this same functionality with the USG 60. It seems I hae to use IPSEC and L2TP but all docs I can find talk about site to site setup. I don't see how this applies to my iphone / laptop.
Setup on an already working USG60, so won't run into wizard.
https://mysupport.zyxel.com/hc/en-us/articles/360005956820-Configure-L2TP-VPN-client-on-iOS
How to configure L2TP connection on your iOS device. 2 years old, still fit the current versions (AFAIK for what i see few weeks ago).
https://support.zyxel.eu/hc/en-us/articles/360003503440-L2TP-behind-NAT-on-a-Windows-client
Don't forget this caveat for Windows... If your laptop is Redmond flavoured (instead of Cupertino sauce)0 -
Argh. Thanks for your response. unfortunately I'm hitting the same issue. L2TP server failed to respond.
Is it to do with my firewall settings ? Is there something else I need to activate ?
There appears to be a rule in the policy control to all IPSEC to all except Zywall and another rule for to Zywall
I also tried on my mac book from iside network so dunno if that should work, but it also failed with server failed to respond. Seems my traffic is being blocked the VPN isn't being brought up at all
0 -
I've found some firewall rules bu I still cant get anything other than a failed to respond. What firewall rules should I have ? I tried the ones here: http://www.iholken.com/index.php/2015/07/19/setup-vpn-l2tpipsec-tunnel-between-zywall-usg-and-windows-phone-8-1-or-iphoneipad/0
-
zyxelusg60 said:L2TP server failed to respond.
Into my setup the rule is named WAN_To_Device, the service group is called Allow_WAN_To_Zywall.
I don't remember if i had to manually create L2TP service into objects...
Also, for L2TP/IPsec working IKE (UDP 500) and NATT (UDP 4500) must been allowed from WAN to USG/Zywall.0 -
hi all these things are added to the wan to zywall rule in policies. still not working. I even checked the zyxel demo unit https://zylab.zyxel.eu/ext-js/index.html# and checked there. I can't see what is wrong. Think i;m gonna throw this junk out and get another firewall unless there something else I can try I've been at it 2 days trying to make a simple VPN work.0
-
PEBKAC?
0 -
mMontana said:PEBKAC?0
-
Hi @zyxelusg60,Is your USG60 place behind NAT router? If so, please follow the instructions to allow L2TP services on the NAT router.If wan IP address of USG60 is public IP, just follow the wizard to set up L2TP VPN on USG60.For iOS settings, please follow instructions in this guide.0
-
zyxelusg60 said:I think the problem might be my isp is blocked the ports im not even getting hits in the firewall .
This could happen if one of 500, 1701 and 4500 (if behind a NAT) UDP are blocked. If you have any other IPSec-capable you could check at least for 500 and 4500 (if behind a NAT) with a "temporary" Gateway and network...
But if the ISP is the same of your previous device which had L2TP working... the theory does not stand that much.
Troubleshooting L2TP connection on USG 4.x generation firmware is not "that" easy. I had to triple check severall times all the boxes, even if i had that working 10-15 devices. (And without any kind of wizard)
Going back to USG60: verify that all protocols required (AH, ESP, IKE, NATT, L2TP) can reach from the ISP to the device, staring from the security policies.0 -
OK. another day, i think im close but still no cigar.
I turned on logging for some things and I saw that it turns out I had a NAT rule that forwarded any to a server inside my network. Doh! So I changed this to just the service it needed which mean that the requests for the VPN suddenly handled correctly. and I could see the hits in the logs.
But no luck with the LT2P ipsec settings... although I could hit the firewall not able to negotiate a communication.
I read some more. So I try IKEv2
This seems to work for iphone you need AES256, SHA256, DH19
Also, In the iphone settings, set user auth to none, and it then asks for a secret -- this is the private key configured in the firewall settings.
remote id is the server IP, and local id is the username ... password isn't required...
Anyway It connects, negotiates and I get an entry in the log for the active ikev2 connection under vpn
but it doesn't seem to pass any data, and I can't seem to access any thing i want, like my local lan.
I have to give this connection an ip from my VPN POOL object so its getting address in 192.168.9.10-20 but I want to talk to servers in 192.168.0.xx range
is there a route i need to add?
a firewall rule ?
some other settings?
I can post all the settings up if required, but maybe for IKEv2 I've missed something.
Any all help appreciated
thanks0
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 103 Nebula Status and Incidents
- 5.8K Security
- 297 USG FLEX H Series
- 282 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight