SSL VPN ip overlap with Secuextender Mac OS
Hi guys, does anyone know if there is a bug / problem with the Mac Os version of Secuextender SSL when the remote client is in the same subnet as the headquarters? Even if "Force all traffic ..." is selected, VPN is established, but no ping, no routing, no internet connection ....
Same situation with Win Client no problem.
Thanks in advance
0
All Replies
-
@Fred_77 would you please share some (private) subnets?
Also with the "lan" for the Windows and MacOS client...
Consider to publish also (if possible) the output for obtaining routing tables. I feel that the "kind" of network connection may be a part of the issue solving...0 -
Hi @mMontana, thanks for reply.
my scenario is quite easy:
ATP200 with latest fw release,
LAN1 192.168.1.XXX (sob! i know it's very common but i can't modify)
Assigned VPN IP 192.168.13.10>100
Remote client subnet 192.168.1.XXX
If the remote is a windows client everything is ok.
If the remote is a MAC OS (my tests with Mac Os 12) i can ping client from ATP on sub192.168.13.XXX and ATP from client 192.168.200.1 but nothing else.
Switching MAC OS network to LTE hotspot (192.168.43.XXX) everything is ok
0 -
It sounds incredible...
I inherited this infrastructure and there are plc's "so special" that to change IP a dude has to come to Italy from Belgium. And cost a lot.No comment...
Obviusly the customer will have them modified when they will do maintenance on the machinery.
he's a bit stingy
0 -
IMVHO part of the issue is due to the way that Windows manage routes.
Cable LAN drivers have higher priority on routing table compared to wireless drivers.
Then... SSL VPN is a modified OpenVPN driver by Zyxel, but as windows perspective is a LAN card.
Which is not for MacOSX. Currently I do not have access on a Mac OS device to run some tests... and point you to a way to esplain to MacOS X that SSL VPN adapter should have priority on routing tables.
As for...
LAN1 192.168.1.XXX (sob! i know it's very common but i can't modify)
It's simply a IT management suicide.
If your SSL VPN users do not ever come into LAN1, you can use Destination NAT to "create" a different LAN1 subnet for who comes from SSL VPN. I'm quite certain that with L2TP is available, did never check for SSL VPN.0 -
@mMontanamMontana said:If your SSL VPN users do not ever come into LAN1, you can use Destination NAT to "create" a different LAN1 subnet for who comes from SSL VPN. I'm quite certain that with L2TP is available, did never check for SSL VPN.
maybe...
thanks guys
enjoy the week end0 -
Normally, to avoid the VPN traffic routing issue of overlap subnet.We would recommend users to separate the subnet.
See how you've made an impact in Zyxel Community this year!
0 -
@Zyxel_Jeff any network sysadmin knows this quite obvious rule of thumb...
0 -
Hi @Zyxel_Jeff
the focus is another: try to understan why (in the same condition) a Win client works well and a Mac OS does not
0 -
Different network TCP/IP stack in Win vs Mac
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight