"Full tunnel mode" missing from SSL VPN

mMontana
mMontana Posts: 1,389  Guru Member
50 Answers 1000 Comments Friend Collector Fifth Anniversary

Device is USG20W-VPN (now rebranded as USG Flex 50W), started with a ZLD 4.x firmware.

Now has latest available firmware, 5.37. Is working nice as L2TP gateway.

Tried to deploy SSL VPN with 4.0.5.0 client. I cannot connect; something is missing, IMVHO.

On this PDF, provided as walkthrougth from the firmware
https://us.v-cdn.net/6029482/uploads/WD42K6EACZJA/ssl-vpn-full-tunnel-mode-cr.pdf

seems that I need to check a box called "Enable Network extension". Image from that PDF.

however, accessing to the device, i have no checkbox with that option.

Nor into
-already existing connection
-new connection
-using firefox
-using chrome
-after a refresh

So: how can I enable that option now?
When it will reappear?

For more troubleshooting: i can login with an SSL-enabled user, i cannot connect using the client and i receive no log reference for "errors" about username or whatsoever.
Also: no signaling from the client that the certificate is "unsafe".

All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 17

    Maybe it enabled by default?

    I can connect to my VPN300 SSLVPN with 4.0.5.0 client fine without that option

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    Thanks for your experience, however I don't have the same behaviour.

    Your link for VPN walkthrough provide the same PDF?

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    UP. And solution. Ish.

    What I did wrong: input the wrong port into SSLVPN tab (Configuration → VPN → SSL VPN → Global setting → SSL VPN Port)

    SecuExtender was not communicating to SSL VPN Daemon on USG Flex 50, missing dialog of the certificate (is stock) should have triggered warning signal to me.
    After correcting port number, I access without issues to SSL VPN.

    Unfortunately PDF is still a bit misleading.

    What's missing as option: network translation, like L2TP provides as destination NAT. That's a bit unfortunate.

    Last but not least: SecuExtender seems uncapable to establish a connection while Sophos home is installed.

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    would seem out dated

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    To say the least. Should be fine for ZLD 4.x firmwares. But 5.x firmware were released… 2021/04/12 according to release notes available here.

    https://download.zyxel.com/USG_FLEX_100/firmware/USG%20FLEX%20100_5.37(ABUH.1)C0_2.pdf

    Page 59.
    I mean it's a 32 months "whopps" interval. ;-)

Security Highlight