Cannot remote manage USG20W-VPN after establishing SecuExtender connection

Options
AllFlashGordon
AllFlashGordon Posts: 3
Friend Collector First Comment
edited April 2021 in Security

Not sure what is going on with my system. I can establish a VPN Connection with SecuExtender (and I also tried L2TP) and everything looked "connected". However, when I open a browser to the LAN IP of the USG20 (10.255.1.1), I am not able to login, or even see a login screen. However, I am able to access the USG20 GUI by HTTPs:// to the realIP of the wan(if I open the firewall for WWW to any -any - -allow). I am running the latest code. and I have the SSL VPN rule to allow access to LAN1

«1

All Replies

  • PeterUK
    PeterUK Posts: 2,711  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Enable “Force all client traffic to enter SSL VPN tunnel” and it will work.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @AllFlashGordon

    Welcome to Zyxel Community 😎

    If it is still not working, you may check the security policy, it supposed to have a rule from SSL VPN to ZyWall.

    When you access device Web GUI from SSL VPN, traffic goes to this rule.

    CONFIGURATION > Security Policy > Policy Control.


  • PeterUK
    PeterUK Posts: 2,711  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    With “Force all client traffic to enter SSL VPN tunnel” enabled I have no rule from SSL_VPN to ZyWALL and I still get to the GUI.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    It could be have a firewall rule from Any to ZyWall, or the default rule is allow.

  • PeterUK
    PeterUK Posts: 2,711  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2019
    Options

    Nope I don't have from Any to ZyWall, or the default rule is allow its set to deny

    This might be bug because “Force all client traffic to enter SSL VPN tunnel” is not doing that I have the SSL VPN with range 192.168.139.1-192.168.139.14 the client before connecting to the SSL VPN is 192.168.255.193 when is go to https://192.168.255.202 with the SSL VPN connected it does not go down the SSL VPN it goes from 192.168.255.193 to 192.168.255.202.

    But shouldn't “Force all client traffic to enter SSL VPN tunnel” force 192.168.255.202 to go down the SSL VPN?

    Edit: Thinking about more this might not be a bug.

  • PeterUK
    PeterUK Posts: 2,711  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Back to AllFlashGordon if you have to SSL VPN with like range 192.168.139.1-192.168.139.14 if you when connected you enter https://192.168.139.1 with from SSL_VPN to ZyWALL and WWW to allow SSL_VPN you can login

  • AllFlashGordon
    Options

    @PeterUK I have the IP range for SSL different than that of LAN1, as it is recommended to setup with a different subnet.

    I tried and confirmed all the above, and no luck


  • PeterUK
    PeterUK Posts: 2,711  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Try https://10.255.0.10 or range for assign IP pool 10.255.0.1 – 10.255.0.20 https://10.255.0.1

  • PeterUK
    PeterUK Posts: 2,711  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    For some reason your client IP is 10.255.0.10 when that should be reserved for the gateway.

    Can you test with the SecuExtender for windows app

    https://www.zyxel.com/uk/en/support/download_library/product/secuextender_software_19.shtml?c=uk&l=en&pid=20140714181106&tab=Software&pname=SecuExtender%20Software&mtname=Software

  • PeterUK
    PeterUK Posts: 2,711  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2019
    Options

    Ok found the reason when at VPN > SSL VPN page click Global settings tab and enter for Network extension local IP 10.255.0.10 and apply.

    Now go to

    https://10.255.0.10

    😎

Security Highlight