Trouble setting up L2TP over IPSEC on ATP100

Options

Hi Zyxel team,

We recently replaced an old CISCO firewall with a new ATP100. I tried for several days to setup remote access via L2TP over IPSEC, where I immediately succeeded in logging into the firewall from the outside using the built-in L2TP client in Windows but failed to access the network behind it. I then found the "ZyWALL_L2TP_VPN_Setup.pdf" guide and followed the instructions there, as I understood them, to modify what I had already configured, but there is still no network access. Internet access from inside the network is working flawlessly on both lan1 (the internal network) and lan2 (guest network via an internal wireless router).

I have followed the PDF setup guide as closely as possible, including not configuring settings that are not shown as configured in the guide.

The ISP assigned static IP address/subnet mask/default gateway settings are configured on the wan interface

lan1 is the internal interface with IP 192.168.1.10/255.255.255.0

IP addresses up to 192.168.1.100 are reserved for static configuration because we historically use that for most devices on the network (these are the devices we want to access from the outside using VNC via the VPN tunnel)

The DHCP server on lan1 is configured with a small pool between 192.168.1.120 and 192.168.1.128, which is working fine (this pool is used by a few accasionally connected laptops).

On lan2 the DHCP server pool is between 192.168.2.100 and 192.168.2.128, which is working fine.

I have configured an address rule called WAN_IP on the wan interface and another address rule called L2TP_POOL with a range between 192.168.50.1 and 192.128.50.50

I have configured one user ”myself” and one user group, called L2TP_USERS where the user ”myself” is a member.

I have one VPN Gateway called L2TP_VPN_GATEWAY where the interface is wan, and it shows the IP address of the wan interface, the pre-shared key is configured, encryption is 3DES, authentication is SHA1 and key group is DH2.

I have one VPN Connection called L2TP_VPN_CONNECTION with a remote access scenario (server role), the VPN gateway is L2TP_VPN_GATEWAY and it shows 0.0.0.0, 0.0.0.0 (should it not show the external IP?), the local policy is WAN_IP and shows the IP adress of the wan interface. The zone is IPSec_VPN, and in the Edit Zone screen the L2TP_VPN_CONNECTION shows up as a member of that zone.

In the Edit L2TP VPN screen the VPN connection is L2TP_VPN_CONNECTION, the IP adress pool is L2TP_POOL and it shows 192.168.50.1-192.168.50.50, allowed users is set to L2TP_USERS

I have one Policy route where the user setting is any, the incoming setting is tunnel, the one member setting is L2TP_VPN_CONNECTION, the source adress is L2TP_POOL, the destination adress is Any, next hop type is Trunk, and trunk is SYSTEM_DEFAULT_WAN_TRUNK. Address Translation is none (Should that be configured, and if so, how?. That part of the edit screen is omitted from the guide PDF).

Anyway, with this configuration, more or less copied straight from the PDF guide, I cannot get further than logging into the ATP100 from the outside. There is no network access. On the remote client I can see an IP adress from the L2TP_POOL using IPCONFIG. What to do next?

Best Answers

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hi @Starteam

    In addition, I also set up a simple lab and noticed the TightVNC connection can be established via L2TP connection as well.

    Topology:
    (WAN:10.214.48.135) L2TP client(192.168.50.1)   -> (WAN:10.214.48.25)USG Flex200(with V5.31 FW) -> LAN1->PC with TightVNC server(192.168.1.121)

    Firstly, I confirmed the L2TP client is already connected to USG  Flex200.



    Then I tried to establish a TightVNC connection from  L2TP client(192.168.50.1) to LAN1 PC(192.168.1.121).


    And I could access my LAN1 TightVNC server successfully as below:



    I captured the packet on LAN1 PC and filter the IP address via Wireshark CLI "ip.addr==192.168.50.1" and then confirmed the TightVNC connection can be established via an L2TP connection as well.


    Thanks :) .

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hi @Starteam

    When we disabled the policy route and everything is solved eventually. We consider you won't add this policy route for L2TP clients.


    We can ping and access the internal  TightVNC server(192.168.1.37) successfully.
     
    CLI: packet-trace interface lan1 ip-proto icmp


    Thanks =) .
«1

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2022
    Options

    Hi @Starteam

    Welcome to Zyxel community, could you confirm if you already unchecked Ignore “Don’t Fragment” setting in IPv4 header option( path: Configuration > VPN > IPSec VPN > VPN Connection )? 


    You could disable it and see if it is working for you, thanks.

  • Starteam
    Options
    Yes, that setting is UNchecked
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    May we know had your problem solved yet?  If still none, please provide the device config file to us via private message and we could check the configuration for you, thanks.
  • Starteam
    Options
    Hi Jeff,

    No, it has not been solved. I just sent the config file to you.

    To repeat, we want to use VNC over the L2TP connection, and that is what doesn't work. We are running VNC servers on several computers in the LAN, and we want to access any of those using a VNC viewer on the remote clients. Both servers and clients worked with our old firewall, so the problem is not in VNC itself. It seems I also need to configure NAT, but I have found no guide for that. In addition, we want to be able to ping the computers  running VNC servers from the remote clients.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Starteam

    May I know what is IP ranges of those VNC servers in the LAN?  BTW, maybe it may not relate to this topic but here is a NAT port forwarding tutorial that can provide to you.  Thanks. 
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I applied your config to our lab site ATP100, I changed your fixed IP to our DHCP IP address. When I established L2TP VPN connection there are "Match default rule, DROP" messages on the Monitor log, so I disable the firewall rule then the L2TP connection can be established and I can access the internal website address(192.168.1.120) as well. So, when you cannot access the internal VNC server, are there any drop messages that can be observed on the Monitor log? Could you disable the firewall rule to see if you can access your internal VNC server? Maybe this issue is caused by some specific security policies in your environment.  
  • Starteam
    Options
    Hi Jeff,

    To begin with your question from yesterday: The VNC servers are on a selection of computers in the lan1 group. They have 192.168.1.x IP addresses, as specified in my original post.

    Looking at the Monitor log, I can see the tunnel being created, user [myself] from L2TP being logged in Device (getting IP address 192.168.50.1 from the L2TP_POOL) and user [myself] being granted an L2TP over IPsec session. Then there is nothing related to my session util the log says that user [myself] from L2TP has logged out Device. In between I have tried to start a VNC session from the remote client computer, just getting a message on that computer, after a timeout, that the VNC server did not respond.

    There are no DROP messages in the log except the usual suspects from China etc.

    Inside the network I can connect from any 192.168.1.x computer running a VNC client to any 192.168.1.x computer running a VNC server. There are no security policies at all in the internal environment except the local Windows firewall, which is disabled on the computers running the VNC server software. And as I mentioned before, while we were using the old Cisco firewall, VNC worked without any problems. Nothing has been changed besides replacing the firewall itself. There is nothing VNC related in the old Cisco config file, but one obvious difference is that it used a small range of 192.168.1.x addresses for the computers connected via VPN. The ATP100 complained that there was an overlap with lan1 when I tried to use the same range so I chose 192.168.50.x instead.

    I am not really sure which firewall rule you suggest that I should disable. If you mean the Policy route I described in my original post, then I have already tried that with the same result. 

    Do I need to setup NAT and/or port forwarding for the VNC port to the various internal computers, and if so, how? It seems you could access your internal computer without that.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Starteam

    Could you provide your remote Web-GUI to us for further checking? Maybe we can try to establish L2TP connection to your site to troubleshoot it. I will provide the information about how to configure a remote Web-GUI link to Zyxel HQ via private message Thanks.
  • Starteam
    Options
    Hi Jeff,

    Due to other pressing matters it will take a few days before I can configure that. I'll be back ...
  • Starteam
    Options
    Configuration sent to you in a private message a moment ago

Security Highlight