VPN server behind NAT router - configuration problems

Greg_B Posts: 2
First Anniversary First Comment
edited April 2021 in Security


I am trying to get a VPN operational through a cable service (NBN) which requires an additional router (for voice services) before connecting to a ZyWALL USG 300. There is already a VPN service successfully connecting via the second WAN port, although it is only ADSL2+ and the primary WAN port is 100/40 Mbps.

The VPN which works is a simple modem configuration which offers bridge connectivity to the ZyWALL, thus the WAN port is the public WAN IP.

ADSL2+ Modem <-> Public IP <-> ZyWALL (VPN server) WAN2 port <-> Local Network

The problem is with the cable service, which is setup as follows:

Public IP <-> Router <-> Local IP <-> ZyWALL (VPN server) WAN1 port <-> Local Network

The Router port forwards UDP 500, 1701 and 4500.

Research led me to this post: https://businessforum.zyxel.com/discussion/878/usg-110-l2tp-vpn-behind-companion-nat-firewall and this video: https://www.youtube.com/watch?v=vfbPFaifpbY

When I attempt to set the VPN Local Policy to the Public IP (HOST, Public IP as recommended in the links above), the log reports:

IKE Failed to add the tunnel [VPN_Name:VPN_Gateway_Name][X:Y]

If an attempt is made to connect the VPN from an Android phone, the log error is a Local IP mismatch.

Experimenting with the settings, by changing the VPN Local Policy back to the Local IP (which matches the VPN Gateway address), does not result in a log error and when testing the VPN connection, it completes IKE Phase 1 successfully and then fails with:

[ID] : Tunnel [VPN_Name] Phase 2 Local policy mismatch.

Apart from the obvious IP variation, no other Phase 2 parameters appear to be incorrect.

My questions are:

  1. Does anyone know any possible reasons why the ZyWALL log shows an error about failing to add the IKE tunnel when setting the Local Policy to the Public IP, as per the tutorials, should be expected to work?
  2. What inferences can be made from the experiment of changing the Local Policy to the Local IP and then seeing that IKE Phase 1 completes successfully and yet Phase 2 fails?
  3. What recommendations for best approach and resources for troubleshooting this type of issue, i.e. CLI, Console, debug logs, ZyWALL error documentation etc?
  4. Any other brainstorming thoughts?

Once I understand why the suggested approach in the tutorials cause an error in the ZyWALL log, it may help a resolution.

Thank you to anyone who can shed some light on the way forward and please let me know if you need additional information.




Security Highlight