Help with L2TP VPN and USG 40

kaika313
kaika313 Posts: 29  Freshman Member
edited April 14 in Security
Hi, I'm encountering a lot of difficulties setting up a L2TP VPN with a USG40. Here is our configuration and how the USG is set up. I've followed the configuration Wizard of the VPN but I cannot reach the USG as any client from which I try to connect sees port 500 as closed (server unreachable). Our ISP says that any network traffic is allowed to pass through their gateway (we have not access to its configuration) but still we cannot set up the VPN.
I can reach from outside the office the USG40 and change its settings, only VPN seems no to work.
Firmware version is V4.33.

Are there any other settings I can check to make it work?

Thank you

Kaika
 

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 814  Zyxel Employee

    Hi @kaika313,

    Can you draw a network topology again with each interface ip/subnet?

    I am wondering why both USG 40 and Gateway have physical link to office network?


  • kaika313
    kaika313 Posts: 29  Freshman Member
    HI @Zyxel_Cooldia,

    here's the complete topology. I have to keep them both connected as the ISP router manages some IP phones connected to the network and we we tried to leave it connected just to the USG they didn't worked anymore. Please let me know if you need further information.

    Thank you
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 814  Zyxel Employee
    edited September 2019
    The USG40 should have physical link to ISP gateway directly, and its gateway should be ISP's gateway, instead of public IP1.
  • kaika313
    kaika313 Posts: 29  Freshman Member
    Hi @Zyxel_Cooldia,

    I cannot connect physically to ISP's gateway and If I set ISP's gateway in USG connection does not work so I'm forced to use these settings and go through Public IP 1.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 814  Zyxel Employee
    That’s weird. Are you sure the wan IP of USG is valid public IP given by ISP?
    If you ping to USG Interface WAN IP from Internet, can you see the icmp packets on USG wan interface ?

    CLI for packet capture:
    outer> packet-trace interface wanx extension-filter icmp
  • kaika313
    kaika313 Posts: 29  Freshman Member
    Hi @Zyxel_Cooldia,

    this is the result from CLI packet capture:

    10:47:57.000665 IP External IP > USG public IP: icmp: echo request

    10:47:57.001126 IP USG public IP > External IP: icmp: echo reply

    10:47:58.001636 IP External IP > USG public IP: icmp: echo request

    10:47:58.002127 IP USG public IP > External IP: icmp: echo reply

    I can also connect to it's web interface from Internet. If I try to "expose" an internal machine, for example the web interface of a NAS, if I test open ports none I try opens...
  • kaika313
    kaika313 Posts: 29  Freshman Member
    UPDATE:
    now our ISP has removed any block and I can establish the L2TP VPN connection!

    Thank you for your support
  • Zyxel_Emily
    Zyxel_Emily Posts: 833  Zyxel Employee
    Hi @kaika313

    Good to hear that you found the root cause.  =)
    Feel free to let us know if you encounter any issue.

Security Highlight