Zyxel USG 60 map IPSec VPN connection

Options

Hi,

I have configured IPSec VPN connection and everything works when I'm accessing remote VPN resources from LAN. What I need is to map defined TCP port from specific external public IP to VPN resource.
I've tried creating NAT virtual server rule as:
source interface/IP: as WAN/external computer IP and destination IP as VPN resource IP on specified ports. Firewall is not blocking access, I see incoming connection from my external IP redirected to internal VPN host, but that's it. I have no connection with VPN host. Is it possible to use my Zyxel device as sort of "gateway" for VPN connection from outside without modifying VPN provider settings? I know this is not secure solution, but in this case I have no other way to access VPN resource.

«1

All Replies

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Tested here and it works.

    is VPN client IP fixed?

    try with NAT rule set for source IP to any

    is there a firewall rule from WAN to IPSec_VPN for the port?

  • andrew8891821
    Options

    I've tried with and without firewall rule. VPN connection local rule is set to LAN subnet. When I change it to external IP then I can't establish connection at all.

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    That might be why then the VPN IP subnet/range needs to be different the other LAN subnets

  • andrew8891821
    Options

    So what can I do it this situation? I've tested connection from same external IP to my local PC and everything works. I can access every local resource except that one VPN host.

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2023
    Options

    Change VPN IP subnet/range to not overlap

    unless I read what your trying to do wrong? you can't have from the same source IP to go to the same port under one WAN IP.

    like you can;t do this

    source IP 2.2.2.2 USG WAN 3.3.3.3 forward to LAN1 192.168.0.2 port 80

    source IP 2.2.2.2 USG WAN 3.3.3.3 forward down VPN 192.168.10.2 port 80

  • andrew8891821
    Options

    I know I can't forward same source IP to 2 different hosts.
    My LAN subnet is 192.168.120.0, my VPN remote host is 192.168.200.80. VPN connection policies are set like that: local - LAN_subnet, remote: 192.168.200.80. I have access from any PC in LAN subnet to VPN host 192.168.200.80. What I need to do is give access to that resource to one PC from outside. E.g. PC X with public IP X.X.X.X can connect VPN host 192.168.200.80 by accessing my Zyxel WAN_IP:VPN-HOST_PORT. I also still need to have access to that VPN host from LAN subnet. I hope now everything is clear. Thanks.

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    So your VPN local policy is set with 192.168.120.0 ? you need to set it to 0.0.0.0 and in VPN gateway domain name /IPv4 0.0.0.0

    I think thats the problem and why the NAT rule didn't work I tested with VPN local policy WAN IP and VPN gateway as WAN interface.

  • andrew8891821
    Options

    Yes, my VPN local policy is set with 192.168.120.0. My VPN gateway domain name is IPv4 0.0.0.0.
    When I change VPN local policy for something else than LAN subnet I can't establish connection at all - dial timeout. Is it possible that my VPN provider somehow blocked connection from outside my LAN? If so - is it possible to bypass that?

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    can you set it like this

  • andrew8891821
    Options

    When I set local policy like this, connection with VPN drops and I receive dial timeout warning message. I can't connect until I change local policy back to LAN_Interface subnet.

Security Highlight