L2TP VPN through Internet Router with dynamic public IP

AyAk
AyAk Posts: 5
First Comment
edited April 2021 in Security
Hello:
I am setting up a VPN on a USG60 (firmware 4.60) with the following scenario:

ISP Internet Router WAN IP: [WANRouter_Dymaic_IP] dynamic
ISP Internet Router LAN IP: [LANRouter_IP] static

USG60 WAN IP: [USGWAN] static

Ports 1701, 500, etc point to the USG
Internet ISP connection is under NAT

VPN works if I use this configuratión...

    VPN->IPSec VPN->Edit VPN Connection [VPN01_Conexion_VPN] -> Politica -> Política Local -> HOST, [WANRouter_Dymaic_IP]

... but: How can I configure the firewall so that the VPN works with the dynamic public IP of the router?

Thank you


Accepted Solution

  • AyAk
    AyAk Posts: 5
    First Comment
    Answer ✓
    After talking to support it seems that the solution has been to create a HOST with the IP 0.0.0.0 and assign this host to "VPN -> IPSec VPN -> Editing VPN Connection -> Policy -> Local Policy" it seems to be working and you can now connect to the VPN.
    Thanks to Zyxel and especially to Maria for helping me over the phone




«1

All Replies

  • Hi all!
    I have exactly the same question as AyAk.
    I'm trying to follow this guide https://support.zyxel.eu/hc/en-us/articles/360001390654-How-to-configure-L2TP-behind-NAT, but get stuck on step 9. (the WAN-IP of the Internet-facing DSL router would be outdated after a provider refresh).
    The user GLPallai had a similar question on this thread: https://businessforum.zyxel.com/discussion/1155/vpn-l2tp-with-nat-and-ddns#latest, but the answers sort of went off-topic...

    Thank you 

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,206  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary


    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • Hi @Zyxel_Jeff,

    Thank you for your answer! In the example you linked to, the router has 59.124.163.151 as a WAN IP. How would you modify the NAT rule (specifically, the User-Defined Original IP) if the WAN IP was renewed every day by the internet provider? It would be quite cumbersome to have to manually change the address every day with the updates!

    Best Regards :)
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,206  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Based on the above topology, you can configure DDNS domain name on your router to replace WAN IP 59.124.163.151.


    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • AyAk
    AyAk Posts: 5
    First Comment
    Thank Zyxel_Jeff por your answer:

    Returning to my query (first post of this thread) my router is not in transparent mode so it has an WAN-IP (dynamic IP called WANRouter_Dymaic_IP in my first post) and an LAN-IP (called LANRouter_IP in my first port).

    I don't think that any answer that I have seen fits this situation.
    Thanks




  • Hi all!
    I have exactly the same question as AyAk.
    I'm trying to follow this guide https://support.zyxel.eu/hc/en-us/articles/360001390654-How-to-configure-L2TP-behind-NAT, but get stuck on step 9. (the WAN-IP of the Internet-facing DSL router would be outdated after a provider refresh).
    The user GLPallai had a similar question on this thread: https://businessforum.zyxel.com/discussion/1155/vpn-l2tp-with-nat-and-ddns#latest, but the answers sort of went off-topic...

    Thank you for your help!

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,206  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @AyAk @Patricio


    As above topology the WAN IP of Router is a static public IP.

    STEP1.

    In your case, you may enable DDNS service of this Router due to its WAN IP will dynamically change every day.

    P.S. You could refer to your Router manufacturer’s manual guide for DDNS configuration.

    As for DDNS service, you may refer to DDNS provider No-IP, FreeDNS etc. whichever you want.

     

    STEP2.

    If your Router gets DDNS domain name(e.q. aaa.bbb.ccc.ddns.com) successfully, you can add an FQDN address object on USG60.



     

    STEP3.

    And refer to this tutorial “How do I configure the ZyWALL for a L2TP server behind NAT?”

    P.S. Just replace the tutorial example WAN IP “59.124.163.151” to DDNS domain name “aaa.bbb.ccc.ddns.com”.

    https://businessforum.zyxel.com/discussion/675/how-do-i-configure-the-zywall-for-a-l2tp-server-behind-nat#latest



    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • AyAk
    AyAk Posts: 5
    First Comment
    Hello.

    I've created FQDN address rule pointing con muy no-ip host like example.no-ip.com and IP has resolved OK in the test. I've named: "IP_Publica_NoIp"
    But in VPN -> IPSec VPN -> Editing VPN Connection -> Policy -> Local Policy I can't select select "IP_Publica_NoIp" because it doesn't appear (It also doesn't select if I type it).
    Maybe the FQDN addresses are not shown here? I think if I could select it the VPN would work correctly.

    Thank you again




  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi AyAk,

    may we contact you temporary by E-Mail to find right config?

    It may give multiple solutions here and we can easy find out during a call, which is the best for you.

    Let me know.

    Kind Regards,

    Tobias
  • AyAk
    AyAk Posts: 5
    First Comment
    Hello, I think it's a good idea to contact by email.
    Do you know my email?
    Thank you

Security Highlight