USG 110 L2TP VPN behind companion nat firewall

maximp

Hi,

this thing is driving me crazy...
I've a USG 110 and configured L2TP over IPSec. I connect a Windows 10 Client on the WAN network and it completes VPN connection succesfuly.
Then I connect the same client on the public network (behind a NAT firewall that's the default gateway of the USG110), and simply change the IP address (on client side) and the local policy rule (on USG side) to match the same public IP. Companion firewall supports VPN passthrough and I forwarded IKE and L2TP ports to USG. In this configuration the VPN cannot connect. Looking at USG logs, seems that IPSec connects correctly, then L2TP loops continuosly between "tunnel disconnected" and "dynamic tunnel rekeyed succesfuly", until it times out. I can't see any useful error message to drive me in the right direction....

Any idea of what should I check ?

Thanks.

Max.

[Deleted User]

Please check my article

First you have to import a registry key to the windows client, because else it cannot work.. 

https://webstore.zyxel.eu/public.php?service=files&t=b3da89762fa939c49794ba0d6f0f9291

U can find a explanation by Microsoft here (please note that this also complies to Windows 10 / 7) :
https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows-vista-and-in-windows-server-2008  

SETUP/STEP BY STEP PROCEDURE:

Topology:

Network Conditions:

Router WAN IP: 59.124.163.151

ZyWALL WAN IP: 192.168.10.33

 

Configuration on the router:

Add a NAT rule for the router.

Allow L2TP services.

L2TP server: 192.168.10.33

L2TP service: IKE, NATT, L2TP-UDP

Configuration on the ZyWALL/USG:

IPSec VPN Gateway

IPSec VPN Connection:

The local policy is the NAT public IP address.

L2TP VPN:

Assign a pool for the L2TP clients.

 

VERIFICATION:

Use a smartphone or a PC to establish a L2TP VPN connection the to ZyWALL/USG.

Configure the NAT's public IP address as the L2TP server address on the client.

Rating: 0 Votes 0 Yes Votes 0% voted yes