SecuExtender for Windows fails to obtain IP address from USG-20

easttn Posts: 5  Freshman Member
First Anniversary First Comment
edited April 2021 in Security
firmware 4.32

Windows 10 1803

Just got a new HP Spectre x360 15 laptop a few days ago, with all available Windows Updates installed, except unclear why it hasn't updated to 1809.

L2TP/IPSec VPN connection to my office functions normally after changing security on the adapter to PAP from CHAP-2 as per a post I found from Zyxel.

SecuExtender installs without problems, also connects, but the VPN tunnel is unusable, as the TAP adapter used by SecuExtender doesn't receive an IP from the USG-20. The IP listed for the TAP connector is an autoconfiguration IP.

I had successfully configured both types of VPN connections last year with a MacBook Pro 15, but stopped using the Mac OS SSL client, which was not free like the Windows client. I still have the Mac at home, but haven't retested it with the Mac SSL client, as the trial period has expired.

No changes to either VPN configuration have been made since the initial configuration. 

One of my employees will need VPN access as well, using a Windows 10 laptop, and I want them to use the SSL VPN. 

I saw a similar post from 11-29-2018, where you sent them newer firmware by private message. They haven't yet responded whether the problem was resolved with the new firmware.

No new firmware comes up with Check Now under Firmware Management on the USG-20.


Accepted Solution

All Replies

  • easttn
    easttn Posts: 5  Freshman Member
    First Anniversary First Comment

    Worked first try.

    The SSL VPN was configured for a range rather than subnet. 

    Created a subnet consisting of the previous range, changed the Selected Address Objects to the subnet object from the prior range object, and everything seems to work.

    The TAP adapter has an IP address on the VPN subnet, with the USG-20 as the DNS server.  I can log on to the USG-20 as an admin using its local IP address, ping the USG-20 and our main server, RDP into our server (still have to use its IP address rather than NETBIOS name). 

    Am also embarassed, as the last paragraph in the Release Notes didn't register when I RTFM, but now makes sense:

    Known Issue  If user set IP Range for SSL VPN on USG/ATP, PC cannot get IP. Please use with ZLD4.32P1.  [Workaround] Used Host or Subnet. 

Security Highlight