L2TP IPSEC VPN client can not access LAN resource when uncheck default gateway

Options
DevyA
DevyA Posts: 4
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Dear all,

I have successfully created L2TP VPN for our client, with no issue. But because of internet speed concern, i want my client to run their own internet connection. 
When i m setting the client with unchecking the "default gateway" , they can not access the resource inside the OFFICE LAN.
Can help me to guide which configuration should i make, i am using USG20-VPN.
 

Best Answers

All Replies

  • Ian31
    Ian31 Posts: 167  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
  • DevyA
    DevyA Posts: 4
    First Anniversary Friend Collector First Comment
    edited January 2019
    Options
    Ian31 said:
    Hi lan31,

    Thanks for you info, i will try to setting my firewall first.
    Yes, it's works. Thank you.

    But i have a bit issue here. I can not ask my users to do this route add, right ?
    is there any setting could be done on the Firewall site , to make it auto route ?

  • DevyA
    DevyA Posts: 4
    First Anniversary Friend Collector First Comment
    Options
    @DevyA
    Regarding to this case,

    Not just un-check the 'Use default gateway on remote network' .
    You need manual add route to the tunnel interface,
    1. Check the interface name of vpn by command 'ifconfig'
    2. Add route,
    route add <destination subnet> mask <subnet mask> Client's L2TP IP
    example:

    3. Verify the routing table
    netstat -r
    Charlie

    Yes i am understand the route add, but i can not ask my user to add this route every time they vpn right ?
    And some more they will get dynamic IP from vpn ip address ranges.

    Is there any setting in USG20-VPN , to make it happened, without we need to changes at client side ?

    Best Regards,

    Devy
  • Blabababa
    Blabababa Posts: 151  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Options
    I think this is the native behavior of the operating system. In this case, the vpn server's role is merely to provide the service. How the clients(operating system) will implement this service is not decided by the server. 
  • DevyA
    DevyA Posts: 4
    First Anniversary Friend Collector First Comment
    Options
    Dear @lan31,@Zyxel_Charlie , @Blabababa

    Thank you so much for all your replay. 
    Maybe meanwhile this will solved my issue. coz my user still under 10. 
    i m not sure later if my user will grow bigger...


    Best Regards,

    Devy

  • RickyC
    Options
    I found a definitive solution here, does not require client-computer foolishness.
    WORKS EXACTLY LIKE WE WANT IT TO

    How to let L2TP clients surf via USG

    https://support.zyxel.eu/hc/en-us/articles/360001390454-How-to-let-L2TP-clients-surf-via-USG




    When configuring L2TP VPN, you often would like to pass the VPN clients traffic through the USG. This tutorial will show you how to do so in no-time!

     

    Walkthrough Steps:

    1. Access your device by entering it's IP address in the browser address line and login by using the device’s credential
    2. Have an already working L2TP VPN connection set up:

    How to use the VPN Setup Wizard to create a L2TP VPN on the ZyWALL/USG

    3. Navigate to Configuration > Network > Routing > Policy Route
    4. Add a new route, where Incoming is the L2TP-Tunnel, the source is the L2TP_POOL and Next Hop is WAN1 with SNAT as outgoing-interface


Security Highlight