What firewall rules are needed to allow L2TP over IPSEC from Windows 11

VPN_Newbie

Hi

I have a USG60 configured to allow VPN connections from Windows 11 via WAN2. All is fine until I enable the Security Policy Control, i.e. I turn on the firewall. What firewall rules are needed to allow the VPN to connect.

*I did have to create a pair of routing policies to allow me to browse the local LAN and internet which I've attached below.

Thanks

PeterUK

WAN to Zywall

UDP 500

UDP 4500

UDP 1701

protocol 50

VPN zone Ipsec_VPN to Zywall

UDP 500

UDP 4500

UDP 1701

protocol 50

VPN_Newbie

Hi

Partial success. The VPN now connects, but no traffic can pass through. I'm guessing I need another rule to allow traffic to pass. I've tried the following.

PeterUK

So you should be able to ping the LAN over the VPN?

Are you looking for the VPN to do internet? Or just to LAN?

Disable them routing rules and make these.

For LAN

incoming VPN tunnel

destination LAN subnet

next hop auto

For internet over the VPN below the rule above you need

incoming VPN tunnel

next hop WAN

VPN_Newbie

Hi

I'm not able to ping the Zyxel in the current config, or any IP on the LAN.

I'll have a go of your suggestions above.

PeterUK

just to add

For LAN

incoming VPN tunnel

destination LAN subnet

SNAT none

VPN_Newbie

Hi

It didn't work. I still can't ping the Zyxel or anything on the LAN.

I've attached the policy below.

PeterUK

Can you go to maintenance > diagnostic > network tools > PING IPv4 to a device on your LAN if no ping its a firewall on that device thats blocking it

Also check the zone of the VPN settings is the right one

and is the IP pool of the VPN not in use by other interfaces?

VPN_Newbie

For some reason, when I post the result of the ping, it gets blocked, but not if I post a picture of it.

VPN_Newbie

VPN_Newbie