Conect remote worker

GST Posts: 6
First Comment
edited April 2021 in Security
I have a USG 60w I have folowed 3 guide (on that explain the manual mehod, aonther the manual method with client downloadable configuration and another via wizzard) that show how to create a VPN to connect PC with Zwall IPSEC Client. All of them do more or less the same things so i explain the manual one.

I have
[piblic_ip](Router from ISP)[]<-------------->[](ZywallUSG60)[]<------>lan

TO avoid all interference from Router Zywall is in DMZ; so if I go to public IP I get zywall web interface.

I need to conect various PC to the main office
All of the romote worker could be in a network of some type but I don't know they are mobile worker.

Firs of all I started
1) creating a VPN gateway VPN_GW_IN
my Addr interface 1
Dynamic adress
a complex pre shared key
some kind of cripto
nat dpd enabled

pre 2) I create a object of type Range IP -

2)Then I created the VPN Conection
firs of all enabled Use Policy Route to control dynamic IPSec rules

It is a Remote Acces Server Role
the Gateway is the one at pont 1
local policy all the guide say lan1 the lan where i need to connect.

I enabled Mode Config because some guide suggest to use it to identify the clients and assign them a correct IP
IP adress PooI the Range IP creatd before
first DNS i setted the router IP viewed from LAN side

Then I created a user to download VPN config

under object user I created the user
under ipsec configuration provisioning I associated the VPN to user and enabled

I tested with a pc via wifi key wich has publi IP  an internal ip in a non overlapped class

I can correctly download the info in Zyxel IP client
I changed the ip in IKE1 setting to the public IP
I can establish the tunnel

I can reach the IP of zyxel but I can't go nowere I need only to reache the specific IP 192.168.1.x inside my lan subnet

All Replies

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    edited April 2020
    You mean the VPN was fine before but now failed? What is log message of Ike?
    The local policy should select zywall's Wan IP.
    Better draw the picture to understand.
    Check this zyxel published video

  • GST
    GST Posts: 6
    First Comment
    I have watched the video.
    IMO there is some missing in rule to allow VPN user( ipsec tunnel is established correctly) to navigate in my lan/1 I can only reach zyxel.
    I have tested another PC both PC has an IP in range (out of my lan) assigned by config  .

Security Highlight