What firewall rules are needed to allow L2TP over IPSEC from Windows 11

PeterUK

So I'm guessing you have two routers? one is 192.168.1.1 your first router and 192.168.0.1 is the LAN of the Zyxel with WAN2 to your first router? and your PC VPN to Zyxel?

the Zyxel has a 192.168.1.1 subnet that you need to change

VPN_Newbie

Hi

No, the remote PC (i.e. the one at home trying to connect via VPN) has a router 192.168.1.1

The zyxel has public IPs from 2 different providers.

PeterUK

In your VPN connection rule what is the Related Settings zone list as? Ipsec_VPN

is the LAN routeing rule top of the list?

VPN_Newbie

If you mean the Members, that was created by the Wizard. I've only used the Wizard to create the VPN settings.

And yes, it's the first of 2 routes

VPN_Newbie

Just a reminder that if I turn off the firewall, everything works, so to me the issue is a firewall rule needs to be created to "allow" the traffic.

PeterUK

If you do ping -t 192.168.0.11 from the remote PC do you see logs of this?

Just a reminder that if I turn off the firewall, everything works, so to me the issue is a firewall rule needs to be created to "allow" the traffic.

…but you have a rule Ipsec_VPN to LAN1 which should do that…

VPN_Newbie

Hi

Thanks for your help so far, but now we're getting outside of my knowledge of the Zyxel, I'm going to have to read up on logging and how it works first to answer your question, because it looks like logging is disabled by default. I'll take a look tomorrow when I'm at work and report back.

Thanks

PeterUK

Thats only if you want to Email logging

The bit to look at is in monitor > log use the show filter put in destination address 192.168.0.11 should show up if blocked

VPN_Newbie

You've taught me something (else) new.

Yes it's being blocked by the default rule.

VPN_Newbie

Out of interest, I tried creating an explicit rule from 192.168.50.1 to LAN1 and vice versa, the ping now no longer appears in the logs, but still doesn't get through.