Internet per port via IPSec VPN on usgflex100

Options
Good afternoon!
I set up a tunnel between the VPN server and the office usgflex100.
The connection is established, the tunnel goes up, but now I'm faced with the problem that I don't know how to make usg get the Internet via VPN either on one port or on a specific subnet.
I will be grateful for any advice or guide. Thanks.

P.s. If you connect with Win or Linux directly to the VPN, the Internet works.

All Replies

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Stanislav,
    You need to know what's VPN mode the VPN server support.

    You can refer this thread first,
    https://community.zyxel.com/en/discussion/13182/connect-zyxel-as-a-client-to-strongswan-vpn-server#latest

    Zyxel firewall does not support behavior as an IPSec VPN client to connect to Express VPN/Nord VPN..., etc. 
    It only support site to site IPSec or IPSec VPN server.

  • Stanislav
    Options
    Hi @zyman2008 . I have a personal IPSec vpn.
    If you need any other information on the vpn server, I can provide it.

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Stanislav,
    What's the local/remote network policy of the tunnel established.
    Could you take a GUI screenshot of this tunnel in  MONITOR > VPN Monitor > IPSec


    What's the the personal IPSec VPN ?
    A cloud service ? (what's the name or web site ?)
    or build and managed by yourself ? (what's the OS platform and IPSec software package ?)

  • Stanislav
    Options
    @zyman2008
    I build and administer myself.
    Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-1027-oracle x86_64)
    Used this script https://github.com/hwdsl2/setup-ipsec-vpn (Libreswan)



  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @Stanislav,
    OK. That's script can build up Libreswan and setup L2TP/IPSec, IKEv1+XAuth, IKEv2 VPN server.

    But you need to add site to site rule and configure iptables rules on your server for Zyxel firewall.
    Here what you need to do. 
    1. Edit /etc/ipsec.conf to modify the leftsubnet=0.0.0.0/0 in the conn rule for Zyxel firewall
    conn
          ...
          leftsubnet=0.0.0.0/0
          
    2. Add iptable rule (assume eth0 is the outgoing interface on server)
    (1) A forward rule for 192.168.21.0/24 to any
    iptables -I FORWARD 8 -s 192.168.21.0/24 -o eth0 -j ACCEPT
    (2) A SNAT rule for 192.168.21.0/24 outgoing wan interface of your server to access Internet.
    iptables -t nat -I POSTROUTING -s 192.168.21.0/24 -o eth0 -j MASQUERADE

  • Stanislav
    Options
    @zyman2008
    Thank you very much, I will try.

Security Highlight