L2TP IPSEC VPN client can not access LAN resource when uncheck default gateway
Freshman Member
Dear all,
I have successfully created L2TP VPN for our client, with no issue. But because of internet speed concern, i want my client to run their own internet connection.
When i m setting the client with unchecking the "default gateway" , they can not access the resource inside the OFFICE LAN.
Can help me to guide which configuration should i make, i am using USG20-VPN.
I have successfully created L2TP VPN for our client, with no issue. But because of internet speed concern, i want my client to run their own internet connection.
When i m setting the client with unchecking the "default gateway" , they can not access the resource inside the OFFICE LAN.
Can help me to guide which configuration should i make, i am using USG20-VPN.
0
Best Answers
-
@DevyA
Regarding to this case,
Not just un-check the 'Use default gateway on remote network' .
You need manual add route to the tunnel interface,
1. Check the interface name of vpn by command 'ifconfig'
2. Add route,
route add <destination subnet> mask <subnet mask> Client's L2TP IP
example:
3. Verify the routing table
netstat -r
Charlie5 -
@DevyA,
What I knew is Microsoft provide a tool Connection Manager Administration Kit(CMAK) for mass VPN client installation include the route settings.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd672646(v=ws.10)
You can Google search the keyword "CMAK L2TP over ipsec" to find more article about how-to.
To prepare a route file, include the route command in the file.
Here an example to add route to 192.168.2.0/24 through the VPN interface.
ADD 192.168.2.0 MASK 255.255.255.0 default METRIC default IF default
5
Zyxel Employee
Master Member
All Replies
-
@DevyA,
Here a configuration guide you can reference,
https://support.zyxel.eu/hc/en-us/articles/360001121480-L2TP-Over-IPSEC-VPN-Split-Tunneling
1 -
Ian31 said:@DevyA,
Here a configuration guide you can reference,
https://support.zyxel.eu/hc/en-us/articles/360001121480-L2TP-Over-IPSEC-VPN-Split-TunnelingHi lan31,Thanks for you info, i will try to setting my firewall first.Yes, it's works. Thank you.But i have a bit issue here. I can not ask my users to do this route add, right ?is there any setting could be done on the Firewall site , to make it auto route ?0 -
@DevyA
Regarding to this case,
Not just un-check the 'Use default gateway on remote network' .
You need manual add route to the tunnel interface,
1. Check the interface name of vpn by command 'ifconfig'
2. Add route,
route add <destination subnet> mask <subnet mask> Client's L2TP IP
example:
3. Verify the routing table
netstat -r
Charlie5 -
Zyxel_Charlie said:@DevyA
Regarding to this case,
Not just un-check the 'Use default gateway on remote network' .
You need manual add route to the tunnel interface,
1. Check the interface name of vpn by command 'ifconfig'
2. Add route,
route add <destination subnet> mask <subnet mask> Client's L2TP IP
example:
3. Verify the routing table
netstat -r
CharlieYes i am understand the route add, but i can not ask my user to add this route every time they vpn right ?And some more they will get dynamic IP from vpn ip address ranges.Is there any setting in USG20-VPN , to make it happened, without we need to changes at client side ?Best Regards,Devy0 -
I think this is the native behavior of the operating system. In this case, the vpn server's role is merely to provide the service. How the clients(operating system) will implement this service is not decided by the server.1
-
@DevyA,
What I knew is Microsoft provide a tool Connection Manager Administration Kit(CMAK) for mass VPN client installation include the route settings.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd672646(v=ws.10)
You can Google search the keyword "CMAK L2TP over ipsec" to find more article about how-to.
To prepare a route file, include the route command in the file.
Here an example to add route to 192.168.2.0/24 through the VPN interface.
ADD 192.168.2.0 MASK 255.255.255.0 default METRIC default IF default
5 -
Dear @lan31,@Zyxel_Charlie , @Blabababa
Thank you so much for all your replay.
Maybe meanwhile this will solved my issue. coz my user still under 10.
i m not sure later if my user will grow bigger...
Best Regards,
Devy
0 -
I found a definitive solution here, does not require client-computer foolishness.
WORKS EXACTLY LIKE WE WANT IT TOHow to let L2TP clients surf via USG
https://support.zyxel.eu/hc/en-us/articles/360001390454-How-to-let-L2TP-clients-surf-via-USG
When configuring L2TP VPN, you often would like to pass the VPN clients traffic through the USG. This tutorial will show you how to do so in no-time!
Walkthrough Steps:
1. Access your device by entering it's IP address in the browser address line and login by using the device’s credential
2. Have an already working L2TP VPN connection set up:How to use the VPN Setup Wizard to create a L2TP VPN on the ZyWALL/USG
3. Navigate to Configuration > Network > Routing > Policy Route
4. Add a new route, where Incoming is the L2TP-Tunnel, the source is the L2TP_POOL and Next Hop is WAN1 with SNAT as outgoing-interface
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
