Follow up on zyxel vpn tutorial - and soft ether vpn server

Options
My_IT_Hurts
My_IT_Hurts Posts: 13
Friend Collector
edited June 2022 in Security
Hello guys,
To sum things up quick, i followed these tutorials:
https://support.zyxel.eu/hc/en-us/articles/360001390914
https://support.zyxel.eu/hc/en-us/articles/360000706899

And i get stuck with windows 10 stating that the remote server doesn't respond.
On the zywall log all i see is "
Security Policy Control
Match default rule, DROP [count=3]
 my_ip:47653
 public_ip:1701
ACCESS BLOCK
"

I've added port 1701 (udp/tcp) to the security policy wan_to_zywall on top of the default one (which has 51/50/443/500/4500...), but zywall doesn't care it seems.
What could i be doing wrong ?

Also i've tried setting up a soft ether server, and i got also issues with the firewall that throws a fit with ping, always logging ping type 8 or 15 issues/anormality issues even though ive seem to have authorized it.
Is this issue related my first question (wrong config) or is soft ether incompatible with zywall ?
«1

All Replies

  • My_IT_Hurts
    My_IT_Hurts Posts: 13
    Friend Collector
    edited June 2022
    Options
    [edit: sorry didn't see the edit button...]
  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    AFAIK 1701 UDP is L2TP port. Probably your appliance is considering Softether a L2TP client and not an IPSec Client.
  • My_IT_Hurts
    My_IT_Hurts Posts: 13
    Friend Collector
    edited June 2022
    Options
    Hi mMontana,
    I see my post was confusing... the softether vpn server issue is another question.
    my issue with port 1701 blockage is after following the zyxel campus tutorial.

    To be clearer, i see on the zywall that a session is started but after 5 seconds it stops with windows 10 saying no response from remote server



  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,373  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @My_IT_Hurts
    Could you have a check the VPN disconnect log entries in Monitor > Log for check the reason? 
    You may share the screenshot of log entries for further check.
  • My_IT_Hurts
    Options
    Hi @My_IT_Hurts
    Could you have a check the VPN disconnect log entries in Monitor > Log for check the reason? 
    You may share the screenshot of log entries for further check.
    Hi Zyxel_Stanley,
    i don't find anything in the monitor / log for vpn (is it vpn dashboard in the filter ? i also look at l2tp over ipsec...)
    i just select all logs and the only thing with my ip is:
    5
    2022-07-01 15:02:35
    notice
    Security Policy Control
    Match default rule, DROP [count=2]
     distant_client_ip:64434
    public_ip:1701
    ACCESS BLOCK

    in Monitor \ VPN Monitor i get this during a few seconds:


  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2022
    Options
    As stated before...
    mMontana said:
    AFAIK 1701 UDP is L2TP port. Probably your appliance is considering Softether a L2TP client and not an IPSec Client.
    Confirmed by both your images...

    Your Softether connection is "recognized" ad L2TP, not IPSec.

    As stated by Softether, the client is a IPSec client; if you need L2TP, Softether suggest to use the integrated OS client, and not softether.

    If you're using (as stated) SoftEther Server, you need to setup in a different way your Zyxel device.
  • My_IT_Hurts
    Options
    Hi,
    @mMontana : thanks but please read again my first post. The softether issue was simply a additional question. 
    Ok i shouldn't have added it but really the current issue is only with the tutorial made by zyxel campus, and the sec policies that need to be added on the zywall after (in my case it's an issue with port 1701
    best regards
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,373  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @My_IT_Hurts
    You may have a check if L2TP Pool IP address has overlap to others interfaces, then caused routing issue.
    If it still doesn't help, you may send your configuration to me by private message have further check. :)
  • My_IT_Hurts
    Options
    @Zyxel_Stanley : no it doesn't.
    But since then i switched to a ssl vpn method, which works fine. 
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,373  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2022
    Options
    Hi @My_IT_Hurts
    It's good to know you use SSL VPN tunnel as workaround and tunnel works well.
    If you like, we could help to check L2TP VPN tunnel issue continually.
    You can provide startup-config or HTTPS access privilege by private message to me for further check this issue.

Security Highlight