L2TP / IPSec PSK Problem

Options
nova
nova Posts: 9
Hi!

I tried to make my own VPN access with my zywall USG100 and L2TP / IPSec PSK

i will connect via windows and now i got this
error...


....
because the security level could not authenticate the remote computer
...


what do you think is the problem?

meanwhile i am very angry about that complex and difficult VPN univers.

thx


«1

All Replies

  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    USG100 is quite old device... Could you please give bit more info about your device and settings?
  • nova
    nova Posts: 9
    Options
    hi thx for your reaction. i know that the usg100 is older but i think it ok for my use.

    I have a 4G router/modem/wifi access point its a 3neo.  i connected the WAN port of the USG100 to the LAN port of this router. the wan port got the ip 192.168.0.172

    in the 3neo router i put the usg in the dmz zone. so every internet traffic is routed to the usg.

    so now i want a vpn connection to the usg and i have tried different things. at least a l2tp over ipsec with psk. it dont work because i think l2tp is on layer 2 and the usg is behind a NAT from the 3 neo router is that correct? what can i do so it will work?

    thx
  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    In my country, cellular connection do not provide a public ip address (unless specific profile/contract)
    Your 3NEO receive a public IP Address?
    Moreover: policy rule allows UDP 1701 traffic to the Zywall/USG?

  • nova
    nova Posts: 9
    Options
    hi

    yes my 3 neo got a public ip adress 77.117.70.xxx
    now i tried to use the 3 neo router in bridge mode but it also doesn't work.


    what go wrong and why is my usg dont work correct

    when you could help me  i will let you on my usg100 because it is available from wan side.

    thx


  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @nova
    sure that your router can manage a real full nat to usg? (Also port 1701, 4500, 500)
    In my experience several routers have reserved port which are not managed in DMZ.
    What can you see in the log of usg?
  • nova
    nova Posts: 9
    Options
    I cant see a access to usg100 in the log. And my router can also do a bridge mode but this also doesnt work? Hmmm?
  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Again... did you checked if USG100 is allowing traffic to itself on port 1701 UDP?

    this configuration is quite close to an USG100 default and it won't let allow L2TP traffic to the device.
    At least a service and a proper firewall rule should be added.
  • nova
    nova Posts: 9
    Options
    hello! thx for your answer. i disabled the whole firewall ant nothing work! 
    I'm not able to make it. once again: my router has a public ip adress and the usg100 is behind in the DMZ of the router. i think everything from public is routed to the usg100.  the usg100 get this ip 192.168.0.173. i want a vpn connection from a windows PC to the usg100 so that the connected PC works like it is in the private network at home. why is the solution so difficult. i tried everything....... 
    thx
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @nova
    Assuming your usg is correctly configurated, could you try with an external tool to understand if all the needed ports are really open?

    Port 1701 udp is closed by default and you need to add this service to "Default Allow Wan to Device".
  • CHS
    CHS Posts: 177  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    USG100 and USG300 are the same generation product.
    In the other thread, it doesn't support for USG300 when it is behind NAT router.
    https://community.zyxel.com/en/discussion/2431/usg300-l2tp-over-ipsec-behind-nat

    Or you can upgrade product to FLEX.

Security Highlight