What firewall rules are needed to allow L2TP over IPSEC from Windows 11

2

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 2023

    So I'm guessing you have two routers? one is 192.168.1.1 your first router and 192.168.0.1 is the LAN of the Zyxel with WAN2 to your first router? and your PC VPN to Zyxel?

    the Zyxel has a 192.168.1.1 subnet that you need to change

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    First Comment

    Hi

    No, the remote PC (i.e. the one at home trying to connect via VPN) has a router 192.168.1.1

    The zyxel has public IPs from 2 different providers.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    In your VPN connection rule what is the Related Settings zone list as? Ipsec_VPN

    is the LAN routeing rule top of the list?

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    First Comment

    If you mean the Members, that was created by the Wizard. I've only used the Wizard to create the VPN settings.

    And yes, it's the first of 2 routes

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    First Comment

    Just a reminder that if I turn off the firewall, everything works, so to me the issue is a firewall rule needs to be created to "allow" the traffic.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 2023

    If you do ping -t 192.168.0.11 from the remote PC do you see logs of this?

    Just a reminder that if I turn off the firewall, everything works, so to me the issue is a firewall rule needs to be created to "allow" the traffic.

    …but you have a rule Ipsec_VPN to LAN1 which should do that…

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    First Comment

    Hi

    Thanks for your help so far, but now we're getting outside of my knowledge of the Zyxel, I'm going to have to read up on logging and how it works first to answer your question, because it looks like logging is disabled by default. I'll take a look tomorrow when I'm at work and report back.

    Thanks

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Thats only if you want to Email logging

    The bit to look at is in monitor > log use the show filter put in destination address 192.168.0.11 should show up if blocked

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    First Comment
    edited November 2023

    You've taught me something (else) new.

    Yes it's being blocked by the default rule.

  • VPN_Newbie
    VPN_Newbie Posts: 14  Freshman Member
    First Comment

    Out of interest, I tried creating an explicit rule from 192.168.50.1 to LAN1 and vice versa, the ping now no longer appears in the logs, but still doesn't get through.

Security Highlight