ATP500 with IPSec VPN and VPN Tracker and search domains....

AlexandervonW
AlexandervonW Posts: 11  Freshman Member
First Comment
edited September 19 in Security

Hi wizards,

i have the following problem. I have setup IPSec VPN for some macOS clients with VPN tracker from equinux, using 2FA via e-mail. Everything is fine so far, execpt that the 2FA mails cannot be acknowlegded because the connection to the Firewall is somwhow blocked.

Setup:

Because of the lack of getting trusted certificates for LAN IPs, i have some servers which have trusted certificates for thier FQDNs, but they have only LAN IPs.

To reach these servers via IPSec VPN i use search domains, like, xyzdomain.com, for the internal LAN, configured on the ATP500 as pointer (server01.xyzdomain.com resolve to IP 192.168.1.10) and on a Microsoft WINS-Server, which is acting as a DNS (only internal).

The ATP500 has as well an FQDN, for. ex. "external.xyzdomain.com" and its own trusted certificate. This FQDN is also setup as Authorize Link URL Address for the 2FA in VPN.

So, now the question.

If a clients opens the IPSec VPN, then it cannot reach the 2FA site on the ATP500. It is somehow blocked. All other traffic is possible. If i remove the search domain from the VPN config, the 2FA site from the firewall is accessable.

A telnet to the firewalls FQDN and its 2FA port shows the connection is somehow blocked. And the FQDN of the ATP500 is always resolved in the correct WAN IP, wheather the VPN tunnel is active or not. But i cannot figure out where. Log is no help, no entry there.

Fun fact at the end, if i choose the interface WAN IP as Authorize Link URL Address in the 2FA config on the ATP500, the connection is possible, but, of course, the certificate not trusted, therefore useless.

Any help i highly appreciated

Alexander

Best Answers

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @AlexandervonW,

    If a clients opens the IPSec VPN, then it cannot reach the 2FA site on the ATP500. It is somehow blocked. All other traffic is possible. If i remove the search domain from the VPN config, the 2FA site from the firewall is accessable.

    May I know what your configuration? I wonder if this search domain causes this issue.

    Zyxel Melen


  • AlexandervW
    AlexandervW Posts: 7  Freshman Member
    First Answer First Comment Friend Collector Sixth Anniversary
    Answer ✓

    Hi Melen,

    yes, you are right, the domain is the problem. Which config do you need? But the question remains:

    site to access 2FA via FQDN Firewall = does not work!

    site to access 2FA via WAN IP Firewall = does work!

    greetings

    Alexander

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @AlexandervonW,

    If a clients opens the IPSec VPN, then it cannot reach the 2FA site on the ATP500. It is somehow blocked. All other traffic is possible. If i remove the search domain from the VPN config, the 2FA site from the firewall is accessable.

    May I know what your configuration? I wonder if this search domain causes this issue.

    Zyxel Melen


  • AlexandervW
    AlexandervW Posts: 7  Freshman Member
    First Answer First Comment Friend Collector Sixth Anniversary
    Answer ✓

    Hi Melen,

    yes, you are right, the domain is the problem. Which config do you need? But the question remains:

    site to access 2FA via FQDN Firewall = does not work!

    site to access 2FA via WAN IP Firewall = does work!

    greetings

    Alexander

Security Highlight