L2TP VPN through Internet Router with dynamic public IP
I am setting up a VPN on a USG60 (firmware 4.60) with the following scenario:
ISP Internet Router WAN IP: [WANRouter_Dymaic_IP] dynamic
ISP Internet Router LAN IP: [LANRouter_IP] static
USG60 WAN IP: [USGWAN] static
Ports 1701, 500, etc point to the USG
Internet ISP connection is under NAT
VPN works if I use this configuratión...
VPN->IPSec VPN->Edit VPN Connection [VPN01_Conexion_VPN] -> Politica -> Política Local -> HOST, [WANRouter_Dymaic_IP]
... but: How can I configure the firewall so that the VPN works with the dynamic public IP of the router?
Thank you
Accepted Solution
-
After talking to support it seems that the solution has been to create a HOST with the IP 0.0.0.0 and assign this host to "VPN -> IPSec VPN -> Editing VPN Connection -> Policy -> Local Policy" it seems to be working and you can now connect to the VPN.Thanks to Zyxel and especially to Maria for helping me over the phone
0
All Replies
-
Hi all!
I have exactly the same question as AyAk.
I'm trying to follow this guide https://support.zyxel.eu/hc/en-us/articles/360001390654-How-to-configure-L2TP-behind-NAT, but get stuck on step 9. (the WAN-IP of the Internet-facing DSL router would be outdated after a provider refresh).
The user GLPallai had a similar question on this thread: https://businessforum.zyxel.com/discussion/1155/vpn-l2tp-with-nat-and-ddns#latest, but the answers sort of went off-topic...
Thank you
0 -
Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
Hi @Zyxel_Jeff,
Thank you for your answer! In the example you linked to, the router has 59.124.163.151 as a WAN IP. How would you modify the NAT rule (specifically, the User-Defined Original IP) if the WAN IP was renewed every day by the internet provider? It would be quite cumbersome to have to manually change the address every day with the updates!
Best Regards0 -
Based on the above topology, you can configure DDNS domain name on your router to replace WAN IP 59.124.163.151.
Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
Thank Zyxel_Jeff por your answer:Returning to my query (first post of this thread) my router is not in transparent mode so it has an WAN-IP (dynamic IP called WANRouter_Dymaic_IP in my first post) and an LAN-IP (called LANRouter_IP in my first port).I don't think that any answer that I have seen fits this situation.Thanks
0 -
Hi all!
I have exactly the same question as AyAk.
I'm trying to follow this guide https://support.zyxel.eu/hc/en-us/articles/360001390654-How-to-configure-L2TP-behind-NAT, but get stuck on step 9. (the WAN-IP of the Internet-facing DSL router would be outdated after a provider refresh).
The user GLPallai had a similar question on this thread: https://businessforum.zyxel.com/discussion/1155/vpn-l2tp-with-nat-and-ddns#latest, but the answers sort of went off-topic...
Thank you for your help!
0 -
As above topology the WAN IP of Router is a static public IP.
STEP1.
In your case, you may enable DDNS service of this Router due to its WAN IP will dynamically change every day.
P.S. You could refer to your Router manufacturer’s manual guide for DDNS configuration.
As for DDNS service, you may refer to DDNS provider No-IP, FreeDNS etc. whichever you want.
STEP2.
If your Router gets DDNS domain name(e.q. aaa.bbb.ccc.ddns.com) successfully, you can add an FQDN address object on USG60.
STEP3.
And refer to this tutorial “How do I configure the ZyWALL for a L2TP server behind NAT?”
P.S. Just replace the tutorial example WAN IP “59.124.163.151” to DDNS domain name “aaa.bbb.ccc.ddns.com”.
Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
Hello.I've created FQDN address rule pointing con muy no-ip host like example.no-ip.com and IP has resolved OK in the test. I've named: "IP_Publica_NoIp"But in VPN -> IPSec VPN -> Editing VPN Connection -> Policy -> Local Policy I can't select select "IP_Publica_NoIp" because it doesn't appear (It also doesn't select if I type it).Maybe the FQDN addresses are not shown here? I think if I could select it the VPN would work correctly.Thank you again
0 -
Hi AyAk,
may we contact you temporary by E-Mail to find right config?
It may give multiple solutions here and we can easy find out during a call, which is the best for you.
Let me know.
Kind Regards,
Tobias0 -
Hello, I think it's a good idea to contact by email.
Do you know my email?
Thank you
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight