Conect remote worker
Freshman Member
I have a USG 60w I have folowed 3 guide (on that explain the manual mehod, aonther the manual method with client downloadable configuration and another via wizzard) that show how to create a VPN to connect PC with Zwall IPSEC Client. All of them do more or less the same things so i explain the manual one.
I have
[piblic_ip](Router from ISP)[192.68.0.0/24]<-------------->[192.168.0.123](ZywallUSG60)[192.168.1.0/24]<------>lan
TO avoid all interference from Router Zywall is in DMZ; so if I go to public IP I get zywall web interface.
I need to conect various PC to the main office 192.168.0.1/24.
All of the romote worker could be in a network of some type but I don't know they are mobile worker.
------
Firs of all I started
I have
[piblic_ip](Router from ISP)[192.68.0.0/24]<-------------->[192.168.0.123](ZywallUSG60)[192.168.1.0/24]<------>lan
TO avoid all interference from Router Zywall is in DMZ; so if I go to public IP I get zywall web interface.
I need to conect various PC to the main office 192.168.0.1/24.
All of the romote worker could be in a network of some type but I don't know they are mobile worker.
------
Firs of all I started
1) creating a VPN gateway VPN_GW_IN
ike1
my Addr interface 1 192.168.0.123/24
Dynamic adress
a complex pre shared key
some kind of cripto
nat dpd enabled
pre 2) I create a object of type Range IP 192.168.100.1 - 12.168.100.200
2)Then I created the VPN Conection
firs of all enabled Use Policy Route to control dynamic IPSec rules
It is a Remote Acces Server Role
the Gateway is the one at pont 1
local policy all the guide say lan1 the lan where i need to connect. 192.168.0.1/24
I enabled Mode Config because some guide suggest to use it to identify the clients and assign them a correct IP
IP adress PooI the Range IP creatd before
first DNS i setted the router IP viewed from LAN side 192.168.1.123
Zone IPSEC VPN
Then I created a user to download VPN config
under object user I created the user
under ipsec configuration provisioning I associated the VPN to user and enabled
under ipsec configuration provisioning I associated the VPN to user and enabled
I tested with a pc via wifi key wich has publi IP an internal ip in a non overlapped class 192.168.148.0/24
I can correctly download the info in Zyxel IP client
I changed the ip in IKE1 setting to the public IP
I can establish the tunnel
I can reach 192.168.1.36 the IP of zyxel but I can't go nowere I need only to reache the specific IP 192.168.1.x inside my lan subnet
0
All Replies
-
You mean the VPN was fine before but now failed? What is log message of Ike?
The local policy should select zywall's Wan IP.
Better draw the picture to understand.
Check this zyxel published video
https://www.youtube.com/watch?v=LL9wdvsfXOY
0 -
I have watched the video.
IMO there is some missing in rule to allow VPN user( ipsec tunnel is established correctly) to navigate in my lan/1 I can only reach zyxel.
I have tested another PC both PC has an IP in range (out of my lan) assigned by config .
0
Master Member
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
