USG Flex 100 problem setting up L2TP VPN from Wizard

Hi everyone,

I'm a newbie and I'm trying to set up a L2TP VPN with a USG Flex 100 but without good results.

I tried to use the wizard for it but it just doesn't work, I can't connect form another line. This is the LOG when I try to connect:

I tried to look it up on Google but all the guides didn't help me..

So.. The LAN is in the subnet 10.0.0.0/24 while the Firewall and Router are in the 192.168.0.0/24. I want the users connecting through the VPN to be in the 192.168.51.0/24 subnet and I need them just to access to some shared folders in the server (10.0.0.2), don't want them to navigate with it.

I'm gonna try post my configuration so that maybe someone is gonna find some problems within it.

If I missed anything just let me know, thank you all.

Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @Rgnvdjfgdfg

    Because your scenario belongs to L2TP behind NAT, you should add a registry key called AssumeUDPEncapsulationContextOnSendRule and set it to 2 on your Windows PC and then the L2TP VPN connection should be working for you.

    Configure L2TP/IPsec server behind NAT-T device - Windows Server

    Create a registry key on Windows PC Client:
    (1) Start > cmd > Enter "regedit"
    (2) Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
    (3) Add a RWORD(32 bit), and name is: AssumeUDPEncapsulationContextOnSendRule
    (4) Edit value as 2
    (5) Reboot PC.

    On Windows 10, edit in the registry and then reboot.
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

    Thanks😀.

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hello @Rgnvdjfgdfg

    What device did you use to establish L2TP VPN connection with your USG Flex 100? Is it a smartphone or a PC? Can you provide the remote Web-GUI link and device startup-config.conf file to us for further checks by private message? I will send a private message to you later, please check your e-mail inbox. Thanks.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Roberto,

    We noticed that your WAN IP address is 192.168.X.X, which is a private IP address. Could you please confirm whether your router(with a public IP) is able to forward VPN-related traffic such as IKE (UDP 500), NAT-T (UDP 4500), ESP (protocol 50), and AH (protocol 51) to the USG Flex100? Thanks.

  • Hi,

    I previously forwarded all traffic and ports to the USG Flex as to not have this kind of problem, so it shouldn't be it. When it all is gonna work of course I'm gonna forward only the ports I need, but in the meantime as this is a "test run" I thought of letting go all in.

    Thanks

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @Rgnvdjfgdfg

    Because your scenario belongs to L2TP behind NAT, you should add a registry key called AssumeUDPEncapsulationContextOnSendRule and set it to 2 on your Windows PC and then the L2TP VPN connection should be working for you.

    Configure L2TP/IPsec server behind NAT-T device - Windows Server

    Create a registry key on Windows PC Client:
    (1) Start > cmd > Enter "regedit"
    (2) Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
    (3) Add a RWORD(32 bit), and name is: AssumeUDPEncapsulationContextOnSendRule
    (4) Edit value as 2
    (5) Reboot PC.

    On Windows 10, edit in the registry and then reboot.
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

    Thanks😀.

  • Hi,

    I just tried it and it works, thanks.

    I was wondering, is there a way to make it work for everyone without doing this on every single client? Because I set it up a while ago and it worked (beginner's luck) until I probably modified something that broke it all.

    Is it normal to do this steps for it to work in Windows?

    Thanks a lot for everything.

  • TrondBKSuleimanCo
    TrondBKSuleimanCo Posts: 19  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer

    You could save the registry key to a file (*.REG) and send it as attachment to all users who need to run this update, saving yourself from doing it.

    You could also add it to your Windows image on DVD, or USB image file, to have it integrated into each setup when you have to reinstall computers.

  • I'd prefer if there was a configuration to do in the USG Flex instead of work in every pc.

    For now i did the *.reg file as you suggested, thank you.

Security Highlight