ATP500 with IPSec VPN and VPN Tracker and search domains....
Hi wizards,
i have the following problem. I have setup IPSec VPN for some macOS clients with VPN tracker from equinux, using 2FA via e-mail. Everything is fine so far, execpt that the 2FA mails cannot be acknowlegded because the connection to the Firewall is somwhow blocked.
Setup:
Because of the lack of getting trusted certificates for LAN IPs, i have some servers which have trusted certificates for thier FQDNs, but they have only LAN IPs.
To reach these servers via IPSec VPN i use search domains, like, xyzdomain.com, for the internal LAN, configured on the ATP500 as pointer (server01.xyzdomain.com resolve to IP 192.168.1.10) and on a Microsoft WINS-Server, which is acting as a DNS (only internal).
The ATP500 has as well an FQDN, for. ex. "external.xyzdomain.com" and its own trusted certificate. This FQDN is also setup as Authorize Link URL Address for the 2FA in VPN.
So, now the question.
If a clients opens the IPSec VPN, then it cannot reach the 2FA site on the ATP500. It is somehow blocked. All other traffic is possible. If i remove the search domain from the VPN config, the 2FA site from the firewall is accessable.
A telnet to the firewalls FQDN and its 2FA port shows the connection is somehow blocked. And the FQDN of the ATP500 is always resolved in the correct WAN IP, wheather the VPN tunnel is active or not. But i cannot figure out where. Log is no help, no entry there.
Fun fact at the end, if i choose the interface WAN IP as Authorize Link URL Address in the 2FA config on the ATP500, the connection is possible, but, of course, the certificate not trusted, therefore useless.
Any help i highly appreciated
Alexander
Best Answers
-
Hi @AlexandervonW,
If a clients opens the IPSec VPN, then it cannot reach the 2FA site on the ATP500. It is somehow blocked. All other traffic is possible. If i remove the search domain from the VPN config, the 2FA site from the firewall is accessable.
May I know what your configuration? I wonder if this search domain causes this issue.
Zyxel Melen0 -
Hi Melen,
yes, you are right, the domain is the problem. Which config do you need? But the question remains:
site to access 2FA via FQDN Firewall = does not work!
site to access 2FA via WAN IP Firewall = does work!
greetings
Alexander
0
All Replies
-
Hi @AlexandervonW,
If a clients opens the IPSec VPN, then it cannot reach the 2FA site on the ATP500. It is somehow blocked. All other traffic is possible. If i remove the search domain from the VPN config, the 2FA site from the firewall is accessable.
May I know what your configuration? I wonder if this search domain causes this issue.
Zyxel Melen0 -
Hi Melen,
yes, you are right, the domain is the problem. Which config do you need? But the question remains:
site to access 2FA via FQDN Firewall = does not work!
site to access 2FA via WAN IP Firewall = does work!
greetings
Alexander
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight