VPN - Ping Troubleshooting

Jeff_ATS

My L2TP VPN is up and running fine, I can connect to everything I need on the host network (192.168.1.0). I use a LAN Messenger that cannot see the client network 192.168.20.0.

I can ping from my client 192.168.20.220 to the host network without issues, but not the other way.

I do notice that my client shows a gateway of 0.0.0.0

Jeff_ATS

I have finnaly narrowed down the issue, the LAN Messenger we use will not function with NAT/SNAT.

I added the route policy back in and my RDP session work fine again. No dropped messages in the log files.

Thank you for your support.

Zyxel_Jeff

Hi @Jeff_ATS

Welcome to the Zyxel community. We're here to assist you with the issue you're experiencing. To better understand your situation, could you kindly provide us with the following information:

1. Is your main problem that L2TP VPN clients are unable to access the LAN domain 192.168.20.X?
2. What are the IP ranges for LAN1, LAN2 (or other VLANs), and L2TP IP?
3. Please share screenshots of the policy route, security policy, and L2TP VPN settings with us. Examples are shown below:

Policy Route

Security Policy: the below are IPsec related policies

L2TP VPN settings:

Thank you in advance for your cooperation. We look forward to assisting you further.

Jeff_ATS

The L2TP VPN is working perfectly. It allows remotes users to RDP to local servers and map network drives.

1. I use a LAN Mesenger application that I am trying to get working trough the VPN. Again , the LAN Messenger would be a nice to be working, the VPN is doing wjat I want it to do.

From a client (192.168.20.221) , I can ping anything on the host LAN (192.168.1.0) but from the host side, I cannot ping the 192.168.20.220 - 192.168.20.235 range.

The

1. 
   

Zyxel_Jeff

Hi @Jeff_ATS

Thank you for your update. Could you please check whether the firewall settings on your Windows PC are disabled? Thanks.

Jeff_ATS

ATS VPN.pdf

Thank you for your help. The VPN is working fine, but I have a need to be able to ping from both directions

PeterUK

I think you might need to rethink your network layout? most of the problem will be that 192.168.1.199 has gateway 192.168.1.1 if this was 192.168.1.251 then it will likely work. So 192.168.1.199 VPN to 192.168.1.251…

…unless this is some type of Asymmetrical Route which are hard to get hard

if you disable the flex firewall does it work?

Zyxel_Jeff

Hello @Jeff_ATS

Many thanks for sharing the detailed information with us. It could be a routing-related issue from L2TP client to the internal lan host. Could you provide a remote Web-GUI link to us for further checking purposes? We will send an e-mail to you later, please check your e-mail inbox. Thanks.

Zyxel_Jeff

Hello @Jeff_ATS

Ok, thanks for your update. We have noticed that there is a policy route that could impact the L2TP client's SNAT behavior, as shown below:

Could you please remove this policy route and try again? You can use our Wizard to create an L2TP VPN connection via expert mode this time, as shown below:

Thanks.

Jeff_ATS

I did as outlined above and I am now able to use my LAN Messenger, however, the ability to RDP from the clients no longer works. May be I can add a route specific to my three RDP servers (192.168.1.00, 192.168.1.99 and 192.168.1.151) they would need to be reacahble from 192.168.20.220 - 192.168.20.235)

Zyxel_Jeff

Hi @Jeff_ATS

We noticed that you are still using EZMODE_VPN_L2TP. Please inactivate it and activate RemoteAccess_L2TP_Wiz to see if LAN Messenger and RDP sessions work for you.

If it still doesn't work, please go to Monitor > View Log to check if there are any blocked messages or matched default rule drop messages for the IP range 192.168.20.220 - 192.168.20.235 that might be preventing access to internal LAN hosts(192.168.1.99, 192.168.1.151). Thanks.

Jeff_ATS

I have finnaly narrowed down the issue, the LAN Messenger we use will not function with NAT/SNAT.

I added the route policy back in and my RDP session work fine again. No dropped messages in the log files.

Thank you for your support.