"Full tunnel mode" missing from SSL VPN

Options
mMontana
mMontana Posts: 1,320  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
in Security

Device is USG20W-VPN (now rebranded as USG Flex 50W), started with a ZLD 4.x firmware.

Now has latest available firmware, 5.37. Is working nice as L2TP gateway.

Tried to deploy SSL VPN with 4.0.5.0 client. I cannot connect; something is missing, IMVHO.

On this PDF, provided as walkthrougth from the firmware
https://us.v-cdn.net/6029482/uploads/WD42K6EACZJA/ssl-vpn-full-tunnel-mode-cr.pdf

seems that I need to check a box called "Enable Network extension". Image from that PDF.

Manual.PNG

however, accessing to the device, i have no checkbox with that option.

Device.png

Nor into
-already existing connection
-new connection
-using firefox
-using chrome
-after a refresh

So: how can I enable that option now?
When it will reappear?

For more troubleshooting: i can login with an SSL-enabled user, i cannot connect using the client and i receive no log reference for "errors" about username or whatsoever.
Also: no signaling from the client that the certificate is "unsafe".

All Replies

  • PeterUK
    PeterUK Posts: 2,802  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 17
    Options

    Maybe it enabled by default?

    I can connect to my VPN300 SSLVPN with 4.0.5.0 client fine without that option

  • mMontana
    mMontana Posts: 1,320  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Thanks for your experience, however I don't have the same behaviour.

    Your link for VPN walkthrough provide the same PDF?

  • mMontana
    mMontana Posts: 1,320  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    UP. And solution. Ish.

    What I did wrong: input the wrong port into SSLVPN tab (Configuration → VPN → SSL VPN → Global setting → SSL VPN Port)

    SecuExtender was not communicating to SSL VPN Daemon on USG Flex 50, missing dialog of the certificate (is stock) should have triggered warning signal to me.
    After correcting port number, I access without issues to SSL VPN.

    Unfortunately PDF is still a bit misleading.

    What's missing as option: network translation, like L2TP provides as destination NAT. That's a bit unfortunate.

    Last but not least: SecuExtender seems uncapable to establish a connection while Sophos home is installed.

  • PeterUK
    PeterUK Posts: 2,802  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    would seem out dated

  • mMontana
    mMontana Posts: 1,320  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    To say the least. Should be fine for ZLD 4.x firmwares. But 5.x firmware were released… 2021/04/12 according to release notes available here.

    https://download.zyxel.com/USG_FLEX_100/firmware/USG%20FLEX%20100_5.37(ABUH.1)C0_2.pdf

    Page 59.
    I mean it's a 32 months "whopps" interval. ;-)

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)