ATP IPSec VPN

NEP
NEP Posts: 61  Ally Member
First Anniversary 10 Comments Friend Collector

Hello,

I'm currently testing an IPSec VPN on our ATP. It's working correctly when connected outside the company. However, it does not work if we are connected to the internal Wi-Fi and I'm not sure why. The SSL VPN (also Zyxel) that we have been using (not set up by me) works internally. We also have a Site-to-Site VPN (which is IPSec) and that configuration is fairly close to that of the IPSec one. The plan is to allow people to leave the VPN turned on, as some users rove in and out of the building.

Anyway, I'm not sure what information to provide, so please ask and I'll pass along what I can. Quick overview: certificate is installed (as the WAN IP), using Remote Access (Server Role), Gateway is set to our WAN interface, Local Policy is our main LAN subnet, IP pool is separate from all other subnets, DNS servers are set to the main ones (on a different subnet), the Zone is the same as the SSL VPN, and "Allow Traffic Through WAN Zone" is unchecked.

Side question, what is that last option? I looked it up and checked seems to indicate that it will be a Full Tunnel passing all traffic through it. Is that all?

Thanks for your time!

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,446  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @NEP,

    Could you please provide the VPN event log?

    Regarding Full tunnel mode, it means all traffic will be forwarded to the remote VPN gateway, operating as default route concept.

  • PeterUK
    PeterUK Posts: 2,704  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    You likely have VPN gateway to a WAN interface you can set this to Domain Name / IPv4 0.0.0.0 for all interface with local policy 0.0.0.0

  • NEP
    NEP Posts: 61  Ally Member
    First Anniversary 10 Comments Friend Collector
    edited December 2023

    @Zyxel_Cooldia I don't know what the VPN event log is. Looked in View Log and the only Category for VPN is "VPN Dashboard". That doesn't have any information. The only log entry I see is "User user(MAC=) from eap-cfg has logged in/out Device" and only when not on Wi-Fi. Does that mean some logging is turned off? In Log Settings, IKE is disabled but IPSec is set to normal. Thanks for the Full Tunnel clarification, that is what I was thinking.

    @PeterUK You may be on to something. The VPN Gateway is set to ge6 (WAN zone) and showing "0.0.0.0, 0.0.0.0" after it. The Local Policy is set to Interface Subnet (specifically that of our LAN). Are you saying that this should be set to 0.0.0.0 somehow? How is that done? Just create an object with 0.0.0.0 and assign it? What does this do exactly? Is it simply defaulting to the firewall for routing when the packets come in?

  • PeterUK
    PeterUK Posts: 2,704  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Yes object with 0.0.0.0 just mean all and any interface

  • NEP
    NEP Posts: 61  Ally Member
    First Anniversary 10 Comments Friend Collector

    Pretty sure I followed what you said. Here is what it looks like now. This does not work without the Wi-Fi off either. The phone simply shows "VPN Connecting…" and a loading spinner.

  • PeterUK
    PeterUK Posts: 2,704  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    You also need to set Domain Name / IPv4 in VPN gateway

  • NEP
    NEP Posts: 61  Ally Member
    First Anniversary 10 Comments Friend Collector

    That is where the VPN Gateway "RemoteAccess_Wi" points too. It's the next tab over in the UI. Unless we are talking about different things. The config page looks exactly like what you posted though.

  • PeterUK
    PeterUK Posts: 2,704  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    You should be able to connect from WAN to Zywall and LAN to Zywall now...

    Do you have a policy to allow the VPN to Zywall?

    You might need to change in VPN gateway Local ID type DNS with content your DNS but in the LAN side have that DNS point to LAN gateway IP

  • PeterUK
    PeterUK Posts: 2,704  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    But it should work with  Local ID type IPv4 content 0.0.0.0

Security Highlight