VPN server behind NAT router - configuration problems
Freshman Member
Hi,
I am trying to get a VPN operational through a cable service (NBN) which requires an additional router (for voice services) before connecting to a ZyWALL USG 300. There is already a VPN service successfully connecting via the second WAN port, although it is only ADSL2+ and the primary WAN port is 100/40 Mbps.
The VPN which works is a simple modem configuration which offers bridge connectivity to the ZyWALL, thus the WAN port is the public WAN IP.
ADSL2+ Modem <-> Public IP <-> ZyWALL (VPN server) WAN2 port <-> Local Network
The problem is with the cable service, which is setup as follows:
Public IP <-> Router <-> Local IP <-> ZyWALL (VPN server) WAN1 port <-> Local Network
The Router port forwards UDP 500, 1701 and 4500.
Research led me to this post: https://businessforum.zyxel.com/discussion/878/usg-110-l2tp-vpn-behind-companion-nat-firewall and this video: https://www.youtube.com/watch?v=vfbPFaifpbY
When I attempt to set the VPN Local Policy to the Public IP (HOST, Public IP as recommended in the links above), the log reports:
IKE Failed to add the tunnel [VPN_Name:VPN_Gateway_Name][X:Y]
If an attempt is made to connect the VPN from an Android phone, the log error is a Local IP mismatch.
Experimenting with the settings, by changing the VPN Local Policy back to the Local IP (which matches the VPN Gateway address), does not result in a log error and when testing the VPN connection, it completes IKE Phase 1 successfully and then fails with:
[ID] : Tunnel [VPN_Name] Phase 2 Local policy mismatch.
Apart from the obvious IP variation, no other Phase 2 parameters appear to be incorrect.
My questions are:
- Does anyone know any possible reasons why the ZyWALL log shows an error about failing to add the IKE tunnel when setting the Local Policy to the Public IP, as per the tutorials, should be expected to work?
- What inferences can be made from the experiment of changing the Local Policy to the Local IP and then seeing that IKE Phase 1 completes successfully and yet Phase 2 fails?
- What recommendations for best approach and resources for troubleshooting this type of issue, i.e. CLI, Console, debug logs, ZyWALL error documentation etc?
- Any other brainstorming thoughts?
Once I understand why the suggested approach in the tutorials cause an error in the ZyWALL log, it may help a resolution.
Thank you to anyone who can shed some light on the way forward and please let me know if you need additional information.
Thanks,
Greg
Comments
-
Hi @Greg_B,
ZyWALL USG 300 does not support L2TP server behind NAT.
You may consider USG310 which supports this scenario.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
Thank you very much for your reply, which certainly explains the problem! :)
0 -
Does this imply to USG110 also?
(
Jeff J Purcell, New Forest, Uk and France, 442900 -
a usg100 can do a vpn behind a nat?0
-
Hi @nova
L2TP server behind NAT router is supported since 4.25 firmware.
But USG100 latest version is 3.30, so it is doens't support behind NAT scenario.1
Zyxel Employee
Ally Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight
