What firewall rules are needed to allow L2TP over IPSEC from Windows 11

Options
VPN_Newbie
VPN_Newbie Posts: 14  Freshman Member
10 Comments
edited November 2023 in Security

Hi

I have a USG60 configured to allow VPN connections from Windows 11 via WAN2. All is fine until I enable the Security Policy Control, i.e. I turn on the firewall. What firewall rules are needed to allow the VPN to connect.

*I did have to create a pair of routing policies to allow me to browse the local LAN and internet which I've attached below.

Thanks

«13

All Replies

  • PeterUK
    PeterUK Posts: 2,758  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    WAN to Zywall

    UDP 500

    UDP 4500

    UDP 1701

    protocol 50

    VPN zone Ipsec_VPN to Zywall

    UDP 500

    UDP 4500

    UDP 1701

    protocol 50

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    10 Comments
    Options

    Hi

    Partial success. The VPN now connects, but no traffic can pass through. I'm guessing I need another rule to allow traffic to pass. I've tried the following.

  • PeterUK
    PeterUK Posts: 2,758  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2023
    Options

    So you should be able to ping the LAN over the VPN?

    Are you looking for the VPN to do internet? Or just to LAN?

    Disable them routing rules and make these.

    For LAN

    incoming VPN tunnel

    destination LAN subnet

    next hop auto

    For internet over the VPN below the rule above you need

    incoming VPN tunnel

    next hop WAN

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    10 Comments
    Options

    Hi

    I'm not able to ping the Zyxel in the current config, or any IP on the LAN.

    I'll have a go of your suggestions above.

  • PeterUK
    PeterUK Posts: 2,758  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    just to add

    For LAN

    incoming VPN tunnel

    destination LAN subnet

    SNAT none

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    10 Comments
    edited November 2023
    Options

    Hi

    It didn't work. I still can't ping the Zyxel or anything on the LAN.

    I've attached the policy below.

  • PeterUK
    PeterUK Posts: 2,758  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2023
    Options

    Can you go to maintenance > diagnostic > network tools > PING IPv4 to a device on your LAN if no ping its a firewall on that device thats blocking it

    Also check the zone of the VPN settings is the right one

    and is the IP pool of the VPN not in use by other interfaces?

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    10 Comments
    Options

    For some reason, when I post the result of the ping, it gets blocked, but not if I post a picture of it.

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    10 Comments
    Options
  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    10 Comments
    Options

Security Highlight