USG40 - VPN Traffic VPN2Internet/VPN2LAN and back

Options
IWAT
IWAT Posts: 11
First Comment

Hi,
I set up a IKE VPN with my USG40. The VPN establishing works well, but i don't get any internet or LAN access. In the Logs it looks like the traffic goes through VPN2any, but nothing comes back, but i doesn't see any block in the Log.
What could cause thath error?

Br


All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,309  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @IWAT,

    Please send the startup-config.conf to me in private message. Thanks!

  • IWAT
    IWAT Posts: 11
    First Comment
    Options

    Hi Emily

    Thanks for you help, but the Startup config contains my whole network with PW.
    I would prefer to send you some print screens instead.

    Br Iwat

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,309  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @IWAT,

    We will need the whold startup-config.conf to check if all setting are correctly configured. Before sending the configuration file to me, you can remove this line from the configuration file.

    "username admin encrypted-password xxxxxx user-type admin"

  • PeterUK
    PeterUK Posts: 2,856  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 23
    Options

    Your WAN1 being a 192.168.x.x is no need to hide but when clients get 192.168.x.x over the VPN is not conflict with other subnets?

    You may need to SNAT VPN traffic out the WAN by routeing rule unless the router upstream of USG40 does static route for the VPN clients that get 192.168.x.x

  • IWAT
    IWAT Posts: 11
    First Comment
    Options

    Hi Peter

    The DHCP from the USG is 192.168.2.20 - 192.168.2.200. The VPN gets usually a 192.168.60.xx address, therefore it shouldn't get any conflict. To test it i changed the VPN Adress to 192.168.2.25x, but the error is the same.

    Br Ivo

  • PeterUK
    PeterUK Posts: 2,856  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 27
    Options

    Keep VPN clients on another subnet to not conflict

    Change Local policy to 0.0.0.0

    Make routing rule

    incoming VPN tunnel
    next hop WAN
    SNAT outgoing-interface

    Policy Control
    IPSec_VPN to WAN
    and IPSec_VPN to LAN1

    note that access to a PC on LAN1 may have a firewall blocking you

  • IWAT
    IWAT Posts: 11
    First Comment
    Options

    I have added the Routing rule, the Policy Control has already been created.
    But it is still not working.

  • IWAT
    IWAT Posts: 11
    First Comment
    Options

    I have no idea why, but it works now…

Security Highlight