how to properly setup a vpn using usg20-vpn for home users with same ip scheme?

shootify
shootify Posts: 3
First Comment
edited April 2021 in Security
Hi there guys, i am new the forum and new on using Zyxel firewall. 
I have a company that has a USG20-VPN, and they want to set up a VPN which i did using remote access (server role), the issue is they using 192.168.1.1/24 subnet and some of the home users has the same subnet as well, so they cant connect to for example RDP, wondering what is the proper way to set this up, guides that i looked, they all made for site to site configuration, which i tried but not success. any help is appreciated. thanks

All Replies

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2021

    With the VPN in server role you can change in L2TP vpn for the IP address pool to like 192.168.255.0/24

    Also the USG20-VPN LAN should not use 192.168.1.1/24

  • hello, using the quicksetup i am able to create the vpn with no problem so it works as long the client is not in the same subnet (192.168.1.1/24), do i need to    enable IPSec NAT on Inbound Traffic Destination NAT. ?
    also followed this video guide , with no success. thanks 
  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2021

    Clients can use 192.168.1.1/24 if the USG LAN is not using 192.168.1.1/24 and the VPN is not using 192.168.1.1/24

    If the USG LAN and VPN is using 192.168.1.1/24 the Clients must not use 192.168.1.1/24

    You don't need to use IPSec NAT on Inbound Traffic Destination NAT you do need a firewall rule to allow VPN zone (IPSec_VPN) to LAN1


  • is there any step by step in how to do this? i tried all possible ways and still cant get it to work
  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2021

    In my setup the USG LAN1 is 192.168.255.0/24

    In VPN > IPSec VPN tab VPN Gateway change interface to WAN1


    In VPN > IPSec VPN tab VPN connection


    In VPN > IPSec VPN tab L2TP VPN change DNS and allowed user as needed.


    When a client with 192.168.1.2 connects to the VPN gets 192.168.140.1 and needs to RDP to 192.168.255.250 you make a firewall rule to allow VPN zone (IPSec_VPN) to LAN1.

    Also for the VPN connection you need firewall rules:

    from IPSec_VPN to ZyWALL service VPN_IPSEC group with ESP, IKE, L2TP-UDP and NATT

    from OPT or WAN1 to ZyWALL service VPN_IPSEC group


Security Highlight