L2TP / IPSec PSK Problem

nova

Hi!

I tried to make my own VPN access with my zywall USG100 and L2TP / IPSec PSK

i will connect via windows and now i got this

error...

....

because the security level could not authenticate the remote computer

...

what do you think is the problem?

meanwhile i am very angry about that complex and difficult VPN univers.

thx

mMontana

USG100 is quite old device... Could you please give bit more info about your device and settings?

nova

hi thx for your reaction. i know that the usg100 is older but i think it ok for my use.

I have a 4G router/modem/wifi access point its a 3neo.  i connected the WAN port of the USG100 to the LAN port of this router. the wan port got the ip 192.168.0.172

in the 3neo router i put the usg in the dmz zone. so every internet traffic is routed to the usg.

so now i want a vpn connection to the usg and i have tried different things. at least a l2tp over ipsec with psk. it dont work because i think l2tp is on layer 2 and the usg is behind a NAT from the 3 neo router is that correct? what can i do so it will work?

thx

mMontana

In my country, cellular connection do not provide a public ip address (unless specific profile/contract)

Your 3NEO receive a public IP Address?

Moreover: policy rule allows UDP 1701 traffic to the Zywall/USG?

nova

hi

yes my 3 neo got a public ip adress 77.117.70.xxx

now i tried to use the 3 neo router in bridge mode but it also doesn't work.

what go wrong and why is my usg dont work correct

when you could help me  i will let you on my usg100 because it is available from wan side.

thx

Fred_77

Hi @nova
sure that your router can manage a real full nat to usg? (Also port 1701, 4500, 500)
In my experience several routers have reserved port which are not managed in DMZ.
What can you see in the log of usg?

nova

I cant see a access to usg100 in the log. And my router can also do a bridge mode but this also doesnt work? Hmmm?

mMontana

Again... did you checked if USG100 is allowing traffic to itself on port 1701 UDP?

this configuration is quite close to an USG100 default and it won't let allow L2TP traffic to the device.

At least a service and a proper firewall rule should be added.

nova

hello! thx for your answer. i disabled the whole firewall ant nothing work! 

I'm not able to make it. once again: my router has a public ip adress and the usg100 is behind in the DMZ of the router. i think everything from public is routed to the usg100.  the usg100 get this ip 192.168.0.173. i want a vpn connection from a windows PC to the usg100 so that the connected PC works like it is in the private network at home. why is the solution so difficult. i tried everything....... 
thx

Fred_77

Hi @nova
Assuming your usg is correctly configurated, could you try with an external tool to understand if all the needed ports are really open?

Port 1701 udp is closed by default and you need to add this service to "Default Allow Wan to Device".

CHS

USG100 and USG300 are the same generation product.
In the other thread, it doesn't support for USG300 when it is behind NAT router.
https://community.zyxel.com/en/discussion/2431/usg300-l2tp-over-ipsec-behind-nat

Or you can upgrade product to FLEX.