I can't configure the Zywall VPN 300 for VPN L2TP

Andrei_Mazilu
Andrei_Mazilu Posts: 9  Freshman Member
First Comment
edited April 2021 in Security
Hi guys 
I'm trying to configure the VPN L2TP over IPSEC for my Firewall and after doing all of the steps i still can't connect to the remote network. I configured exactly like in the walkthrough and still nothing. My configuration is behind a router. I have a router and then is the Firewall and i would like to connect to my LAN. My question is do i need a DHCP server because it will be for 15 users or the Firewall will give from the range that is set up? Do i need to make some rule on NAT to give access ? I have a Synology NAS and i use it as a VPN server also and works but i made a rule in the NAT to send the traffic to the NAS and from there is doing his thing and everything works but i want to not use the NAS and do it from Firewall. Thanks

Accepted Solution

«1

All Replies

  • jonatan
    jonatan Posts: 184  Master Member
    5 Answers First Comment Friend Collector Seventh Anniversary
    edited May 2019
    Hi, is the l2tp tunnel rising? Show the network plan.


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Andrei_Mazilu  

    As your description, VPN300 is behind a router.

    So the router have to forward the IKE traffic to VPN300.

    You can reference to FAQ to realize this requirement.

    https://businessforum.zyxel.com/discussion/675/how-do-i-configure-the-zywall-for-a-l2tp-server-behind-nat#latest

     Can you also share firmware version is working on your VPN300?

  • Andrei_Mazilu
    Andrei_Mazilu Posts: 9  Freshman Member
    First Comment
    edited May 2019
    Thanks for the answers. I have already a VPN server but is on a Synology NAS and i think the Router  is fowarding IKE traffic. 
    My config is ROUTER(ISP) --->Firewall  ----> SWITCHES
    I've captured the traffic between client and VPN and i have a payload malformed. I've been trying with both mac and windows computers. On the Firewall end is everything like in the walkthrough configured and still nothing.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Andrei_Mazilu  

    Is this your network topology?

    Router(ISP)------VPN300 or USG300(VPN server)-----switch------ Synology NAS?


    If it is not, please describe your topology more detail and make IP addresses in it.

    In your description the VPN tunnel is working when Synology NAS is a VPN server.

    What did you do in ISP router and USG300?

  • Andrei_Mazilu
    Andrei_Mazilu Posts: 9  Freshman Member
    First Comment
    Yes that's  my topology and works for VPN Server on the Synology. I've opened the ports that L2TP needs and everything works for the NAS Server.


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Andrei_Mazilu

    As your requirement, if you would like to change L2TP server as USG300.

    Then you have to disable NAT(Port Forwarding) rule from USG300.

    The IKE packets will receive by USG300 and will not forwards to Synology NAS anymore.

    Then it should able fulfill your requirement.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Andrei_Mazilu

    As your scenario ZyWALL is a private IP address ISP offered.

    So you have to add the port forwarding rule on ISP router first.

    On VPN300 VPN gateway, make sure your VPN proposal and key group is correct.



    In VPN connection, make sure local policy is the IP address that ISP provided.(The public IP address on ISP router) And make sure proposal is correct.


    In L2TP setting, the IP pool can not overlap to any interface IP subnet.

    Otherwise the traffic unable forward to client successfully. 

    You still can reference to FAQ, the scenario is the same as your requirement.

  • Andrei_Mazilu
    Andrei_Mazilu Posts: 9  Freshman Member
    First Comment
    edited May 2019
    Thanks for helping me.
    I have done everything like that including the NAT RULE
    Now i receive a proposal mismatch and the preshared key match both sides (Client and server) Maybe is the config that first must be DES and not 3DES? I'm trying to connect from mac and windows machines. How  is IPSec_VPN zone configured. IPSec_VPN on my side is the VPN Connection and i think it shouldn't be. Thanks in advance!
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Andrei_Mazilu  

    You seems configured wrong setting….

    (1) The port forwarding rule should configured on ISP router but not VPN300.

    (2) Please double confirm if you select correct Key group in VPN Gateway. (phase 1).


Security Highlight