USG 60 L2TP IPsec VPN not working from local LAN2

stephan
stephan Posts: 31  Freshman Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
Hey guys,

Recently users asked my if they can connect to our VPN from our company WIFI.
The company LAN (LAN1) and the company WIFI (LAN2) are both connected to our usg60 which handles all traffic to and from the internet. VPN L2TP IPsec is already set up and working via the WAN port of the usg60 and lands inside of LAN1 in a new subnet. A few details:

WAN: <WAN IP> (Landing IP for VPN connections)
LAN1: 10.0.0.X + 10.0.1.X (for VPN clients)
LAN2: 192.168.2.X

I tried working out how to enable users to connect to the VPN from our LAN2 as well, but am stuck. When clients try to connect via normal VPN settings, they run into an error 789 on both Win7 and Win10. Now I found this thread: https://businessforum.zyxel.com/discussion/878/usg-110-l2tp-vpn-behind-companion-nat-firewall but it's not really the same as there isn't any NAT between LAN2 and WAN, but there is between LAN2 and LAN1 of course. I also checked the policies and didn't find anything that looked like it would prevent traffic from LAN2 to WAN.

What am I missing here? How can users connect to VPN from another internal LAN?

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Stephan,
    Can you post your network topology with IP subnet and VPN client where you connected from?

  • stephan
    stephan Posts: 31  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited June 2018

    Here our topology.


    We can connect to VPN if the connection originates from the internet. We also want to connect to VPN when connected to one of the Wifis. The VLANs are handled on our Netgear switches if that makes any difference. Wifi clients get a successfull resolution from vpn.company.com to the WAN public IP. Though on connecting from Wifi to VPN, Windows 7/10 does time out with the above mentioned error 789.

    Let me know if you need more details.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @stephan,
    It does not support VPN connection from internal interface at V4.31. we will support multi-interface for l2tp over IPSec VPN at V4.32.
  • stephan
    stephan Posts: 31  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited June 2018
    Thanks for that! Tough to find out with just the user manual.

    @Zyxel_Cooldia would the USG 100 or the USG 310 support L2TP IPSec over internal intefaces? Will V4.32 be released for the USG 60? Do you have a rough estimate on when V4.32 will be released?
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @stephan,
    USG310 and USG60 are in V4.32 release plan, the schedule might be around end of July.
  • stephan
    stephan Posts: 31  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited June 2018
    @Zyxel_Cooldia Thank you again for you swift reply! We will wait for the next FW upgrade and then try to solve this issue this way :)

    Can I mark this as solved anywhere?

Security Highlight