Protocol 50 problem with windows 11 L2TP/IPsec

PeterUK

Zywall 110 V4.73(AAAA.2)

The settings for the VPN are fine you reboot Zywall then just have windows 11 connect to the VPN which fails I see port 500 happen then Protocol 50 go to Zywall but nothing back.

If I connect the PC to 4G to connect to the VPN by NAT so UDP 4500 it connects fine then connect by wifi again like before this can then sometimes make the VPN with Protocol 50 connects fine.

update

Guess a change to the VPN server role in firmware up dates has caused this and that my setup is done different to most as I have a USG60W do wifi but a I route it to the Zywall 110 on its OPT port to then do SNAT OPT next hop OPT.

Here is a capture and I think the control message UDP 1701 is not mean to the seen and should go down VPN but instead Zywall sends it out to my ISP gateway Cisco MAC when it should go to Zyxel MAC.

when it works shows like this

setup

WJS

issue only on Win11 ? It may capture on firewall WAN to check if the ESP is reachable.

PeterUK

Like I show when it works it works just not after a reboot

Yes only windows 11 after a reboot of the Zywall 110 I'm willing to bet its due to the fix Zyxel did on V4.73(AAAA.2) and if I go back to V4.73(AAAA.1) all will be fine which will be my next test.

PeterUK

well I lost tried going back to V4.73(AAAA.1) same problem unless it goes back further?

So maybe this is a windows 11 bug not sending the right info? but I'm sure a tested late last night that when I did get the VPN working I rebooted the Zywall 110 and the VPN would not connect…. I try uninstalling some patches and see when it starts working.

PeterUK

Hmmm I think this is some kind of bug with Zyxel

So got the VPN working rebooted the Zywall

Waited 2mins after reboot then tried to connect to VPN it fails

Wait 5mins try again VPN connects fine

My windows 11 is in a VirtualBox for testing rebooted and sure enough VPN connects fine and in case windows remembers something I restore the snapshot and VPN connects fine again.

So its the Zywall that must be seeing the VPN fail then toggles to the right MAC?

WJS

internet traffic from usg60w will translate to zywall110 public IP which means there will the same addresses do the ike negotiate on zywall 110 wan interface ..

Maybe you need to use NAT loopback on zywall110 or use opt:X address as L2TP server IP.

PeterUK

There is no need for NAT loopback not sure why you say that like I said it work works when it works.

USG 60W links to OPT with WAN IP by virtual interface 192.168.254.1 traffic from subnet 192.168.252.0/255.255.254.0 is SNAT none to gateway 192.168.254.1 where the VPN server role is with the Zywall 110 static route 192.168.252.0/255.255.254.0 back to USG60W 192.168.254.2. On reboot of Zywall 110 a client to use the VPN from 192.168.252.0/255.255.254.0 connects to my WAN IP on OPT to Zywall 110 and fails then I wait 5mins then it connects fine.

I guess the problem could be when the client from 192.168.252.0/255.255.254.0 connects to the VPN by WAN IP and not 192.168.254.1 which causes this toggle for the VPN to work after 5mins?

So whats needed is the Zywall 110 to know if VPN is to ISP gateway or 192.168.254.2 gateway?

Zyxel_Kevin

Hi @PeterUK ,

Here is my topology:

USG60w:

WAN: 192.168.254.2 , LAN: 192.168.252.4 , Win11 Client: 192.168.252.10

(WAN connected to USG110's OPT), LAN to ANY will stay original addess no NAT.

USG110:

WAN1: public IP, OPT: another public IP, OPT:1 : 192.168.254.1.

(Traffic from 192.168.254.X to internet will send to WAN1)

But I can connect l2tp vpn without disconnecing issue. Could you share your configuration ?

Thank you

PeterUK

Cause was this routing rule:

incoming ZYWALL

service L2TP-UDP

next hop OPT

I can't remember why I added this rule but it was the cause and dose not seem to be needed any more.