L2TP remote user on Private LAN?

KINGOLE
KINGOLE Posts: 8
First Anniversary First Comment Zyxel Certified Network Administrator - Nebula
edited April 2021 in Security

I'm having issues getting a L2TP VPN setup to my ZyWALL USG 300, and I just saw this note in one of my manuals:

"At the time of writing the L2TP remote user must have a public IP address in order for L2TP VPN to work (the remote user cannot be behind a NAT router or a firewall)."

Is this still the case? - If so, that means L2TP is not really suited for users working from home, as they will all be behind router.

What's the best solution for those?

All Replies

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi KINGOLE if your scenario is something like:

    1. USG300 with WAN1 to ISP and WAN2 ISP2 etc etc etc to other upstream and
    2. you want to access from a CLIENT on any local LANxx (phone, mac, pc etc)

    Then this will still work ok as long as the public hostnames in 1. above can be resolved by the VPN client in 2.

    Example:

    • WAN2 - public host kingoletest001.ddns.net (set in USG200 DDNS)
    • your LAN clients O/S can resolve the host "kingoletest001.ddns.net"

    Just make sure the you have USG300 Policy Routes and Security policy to allow local LANxx clients and their subsequent L2TP IP's to access other internal routes.

    If you require Client to site VPN access from other private LANs to the USG300 (for testing for example)., simply

    • use another USG300 PORT and
    • built an IKE Phase1/Phase2 Remote Site-Client on that USG300 port (WANx, OPTx etc) and
    • set a LOCAL DNS AAA record for it so the your internal LAN Client can find it with VPN Client software.
    • this is how we test some stuff ...

    Working from home?

    do you mean the the CLIENT's L2TP VPN mac/pc/phone is on a home router on a usual NAT?

    If so then this is the scenario for most L2TP users. your local NAT is problematic with Windows O/S built IN VPN client ONLY if the USG300 itself at the remote site is on a NAT I understand. Then you'll have to perserve with the local WINDOWS 10 registry and some value to pass it though the other end.. may it's this value..AssumeUDPEncapsulationContextOnSendRule ..(1 or 2) -- see the inter webs for this.


    Summary:

    the standard L2TP VPN with a pre-shared key (PSK) is straight forward to set up with most OS's ( MAcOS. Linux, freebsd/ windows etc and various inbuilt and 3rd party VPN clients ) ... there are tonnes of easy to follow documentation for this and the ZYxel USG appliances.

    HTH

    Warwick

    Hong Kong

  • KINGOLE
    KINGOLE Posts: 8
    First Anniversary First Comment Zyxel Certified Network Administrator - Nebula

    Thanks Warwick. I'll have to warn you that I have not messed with VPN/IPSEC etc. for a very long time, hence the reason that I followed the steps in the ZyXEL user guide.

    There will be no phones involved, strictly data.

    I have a LAN at work with shared folders which people store relevant documents in.

    I have people working from home who would need to be able to access those shared folders.

    Basically all home users sits behind the router that was provided to them by their ISP, so they will be on a 10.x.x.x or 192.168.x.x network.

    My ZyWALL has only one WAN connection, which is on g2. I use IP address instead of hostname, so no need to look up anything.

    I have tried this multiple times, gone over every step. I've even uninstalled the virus protection on my Windows client and disable its firewall, but it just won't work.

    I'm sure it's something simple, but I'm not an experienced security guru, so not sure what to look for.

    My plan is to read up on this, starting by retaking my CCNA and then going on to CCNA-Security, but my problem is I need to set this up now.

    If you know of a link to good documentation/videos, those would be much appreciated.

    Thanks,

    Ole

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,052  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2020

    Hi @KINGOLE

    Here is the example of setting up L2TP VPN,

    VPN Gateway settings

    VPN Connection settings 

    L2TP VPN settings

    If your device is behind a NAT router, after setup VPN settings, it need to do NAT settings on router above our device, it have to forward related port of L2TP on the router.

  • KINGOLE
    KINGOLE Posts: 8
    First Anniversary First Comment Zyxel Certified Network Administrator - Nebula

    Thanks Jerry,

    I'll compare the settings to the ones I have from the steps specified in the ZyWall User Guide, but at first glance, everything looks pretty much like I recall having it setup.

    This is for people at home connecting to my shared folders on our LAN, and they will all be behind an Xfinity or AT&T router on their own little LAN, and none of them will know how to configure their router at home.

    Is L2TP not the solution I'm looking for, or?

    Thanks.

  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2020

    The VPN gateway Proposal in order can be

    3DES----SHA1

    AES128---SHA1

    The VPN connection Proposal in order can be

    AES256----SHA1

    3DES------SHA1


    You will need firewall rules

    WAN/OPT to ZyWALL---- service VPN_IPSEC (ESP, IKE, L2TP-UDP and NATT)

    and zone for the VPN

    IPSec_VPN to ZyWALL----service VPN_IPSEC (ESP, IKE, L2TP-UDP and NATT)

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,052  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @KINGOLE

    Yes, you can use L2TP VPN to achieve your purpose.

    If the router above your sharefolder is behind a NAT router,

    it need to setup port forwarding on the NAT router , here is the related scenario of L2TP VPN behind nat router

    https://businessforum.zyxel.com/discussion/878/usg-110-l2tp-vpn-behind-companion-nat-firewall

Security Highlight