SSL VPN

Ricky

I have set up SSL VPN and as a user I can connect. However, the client is not getting a IP address from the Zyxel 110. the Firewall LAN1 IP scope is 192.168.11.1 - .254 , with a DHCP range of 192.168.11.10 - .254. When a SSL VPN client connects it shows connected, how the IP address given is 192.168.11.0 .... and nothing from the DHCP range. I am using SSL VPN client v4.0.3.0 and the firmware on the Firewall is v.4.33 (AAAA.0).

Ricky

Disregard, I figured out the issue. The SSL VPN requires an assigned IP pool that is not on the local LAN1 scope.   I created a Virtual Scope under LAN1 and then added that as a RANGE in Object/Addresses.  once that was done I connected back the the SSLVPN and was handed out an IP within the Virtual Scope and life was good. 

Zyxel_Stanley

Hi @Ricky  

The VPN (SSL VPN/L2TP VPN) pool can’t overlap to other interfaces, otherwise the traffic unable pass into VPN tunnel successfully.

It’s good hard you found the reason of it.  

DACataldo

I have a similar issue where the vpn connects and i get 192.168.201.100 and the server is 192.168.200.1 but I keep getting an ACCESS BLOCK in the log when 201.100 tries to talk to 200.1. What is the issue, please?

Zyxel_Kevin

Hi @DACataldo ,

Greeting Forum, the default Network Extension Local IP is also 192.168.200.1. It should not overlap with your local subnet.

Please kindly change IP from 192.168.200.1 to anther one. Thanks

DACataldo

Thank you for your reply. My global setting looks like yours. My subnet is 201 not 200 in the VPN config - do you mean like this?

Thank you so much!

Zyxel_Kevin

Hi @DACataldo ,

Yes , I means replace the global extension IP from 192.168.200.1 to 192.168.X.X which is not used in your subnet.
Address 192.168.200.1 is the same as your DNS server

DACataldo

Thank you for helping. Now it gives me access to the WINS server (10.10.1.14) and also the internet. Still blocking everything else on the 10.10.1.0/24 network though. They get blocked by the default rule. What rule am I missing? Perhaps I should pay for Zycel advice? What is the correct Zyxel phone number that I am supposed to call to pay for someone to fix this for me? Thank you.

Zyxel_Kevin

Hi @DACataldo ,

Please kindly check :

1)You have correct Zone for SSL VPN settings

2)You have default policy From SSLVPN zone to any

If the issue persist we can have remote session at 08:00~17:00 (UTC+8) . Thank you

DACataldo

Thank you again for your response! Here is my SSL VPN policy and below that are my security policies:

It seems to have access to a couple IP addresses on 10.10.1.0/24 and no access to most of that network. And I am using SecuExtender 4.0.4.0 - should I be using 4.0.3.0?

Thank you again!

Dave

Zyxel_Kevin

Hi @DACataldo ,

Could you provide remote GUI access for us.

I sent you my public IP by private message. You may only allow those for access.