L2TP VPN through Internet Router with dynamic public IP

AyAk
AyAk Posts: 5
edited April 14 in Security
Hello:
I am setting up a VPN on a USG60 (firmware 4.60) with the following scenario:

ISP Internet Router WAN IP: [WANRouter_Dymaic_IP] dynamic
ISP Internet Router LAN IP: [LANRouter_IP] static

USG60 WAN IP: [USGWAN] static

Ports 1701, 500, etc point to the USG
Internet ISP connection is under NAT

VPN works if I use this configuratión...

    VPN->IPSec VPN->Edit VPN Connection [VPN01_Conexion_VPN] -> Politica -> Política Local -> HOST, [WANRouter_Dymaic_IP]

... but: How can I configure the firewall so that the VPN works with the dynamic public IP of the router?

Thank you


Accepted Solution

  • AyAk
    AyAk Posts: 5
    Accepted Answer
    After talking to support it seems that the solution has been to create a HOST with the IP 0.0.0.0 and assign this host to "VPN -> IPSec VPN -> Editing VPN Connection -> Policy -> Local Policy" it seems to be working and you can now connect to the VPN.
    Thanks to Zyxel and especially to Maria for helping me over the phone




«1

All Replies

  • Patricio
    Patricio Posts: 3
    Hi all!
    I have exactly the same question as AyAk.
    I'm trying to follow this guide https://support.zyxel.eu/hc/en-us/articles/360001390654-How-to-configure-L2TP-behind-NAT, but get stuck on step 9. (the WAN-IP of the Internet-facing DSL router would be outdated after a provider refresh).
    The user GLPallai had a similar question on this thread: https://businessforum.zyxel.com/discussion/1155/vpn-l2tp-with-nat-and-ddns#latest, but the answers sort of went off-topic...

    Thank you 

  • Patricio
    Patricio Posts: 3
    Hi @Zyxel_Jeff,

    Thank you for your answer! In the example you linked to, the router has 59.124.163.151 as a WAN IP. How would you modify the NAT rule (specifically, the User-Defined Original IP) if the WAN IP was renewed every day by the internet provider? It would be quite cumbersome to have to manually change the address every day with the updates!

    Best Regards :)
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 135  Zyxel Employee
    Based on the above topology, you can configure DDNS domain name on your router to replace WAN IP 59.124.163.151.

  • AyAk
    AyAk Posts: 5
    Thank Zyxel_Jeff por your answer:

    Returning to my query (first post of this thread) my router is not in transparent mode so it has an WAN-IP (dynamic IP called WANRouter_Dymaic_IP in my first post) and an LAN-IP (called LANRouter_IP in my first port).

    I don't think that any answer that I have seen fits this situation.
    Thanks




  • Patricio
    Patricio Posts: 3
    Hi all!
    I have exactly the same question as AyAk.
    I'm trying to follow this guide https://support.zyxel.eu/hc/en-us/articles/360001390654-How-to-configure-L2TP-behind-NAT, but get stuck on step 9. (the WAN-IP of the Internet-facing DSL router would be outdated after a provider refresh).
    The user GLPallai had a similar question on this thread: https://businessforum.zyxel.com/discussion/1155/vpn-l2tp-with-nat-and-ddns#latest, but the answers sort of went off-topic...

    Thank you for your help!

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 135  Zyxel Employee

    Hi @AyAk @Patricio


    As above topology the WAN IP of Router is a static public IP.

    STEP1.

    In your case, you may enable DDNS service of this Router due to its WAN IP will dynamically change every day.

    P.S. You could refer to your Router manufacturer’s manual guide for DDNS configuration.

    As for DDNS service, you may refer to DDNS provider No-IP, FreeDNS etc. whichever you want.

     

    STEP2.

    If your Router gets DDNS domain name(e.q. aaa.bbb.ccc.ddns.com) successfully, you can add an FQDN address object on USG60.



     

    STEP3.

    And refer to this tutorial “How do I configure the ZyWALL for a L2TP server behind NAT?”

    P.S. Just replace the tutorial example WAN IP “59.124.163.151” to DDNS domain name “aaa.bbb.ccc.ddns.com”.

    https://businessforum.zyxel.com/discussion/675/how-do-i-configure-the-zywall-for-a-l2tp-server-behind-nat#latest


  • AyAk
    AyAk Posts: 5
    Hello.

    I've created FQDN address rule pointing con muy no-ip host like example.no-ip.com and IP has resolved OK in the test. I've named: "IP_Publica_NoIp"
    But in VPN -> IPSec VPN -> Editing VPN Connection -> Policy -> Local Policy I can't select select "IP_Publica_NoIp" because it doesn't appear (It also doesn't select if I type it).
    Maybe the FQDN addresses are not shown here? I think if I could select it the VPN would work correctly.

    Thank you again




  • Zyxel_Tobias
    Zyxel_Tobias Posts: 123  Zyxel Employee
    Hi AyAk,

    may we contact you temporary by E-Mail to find right config?

    It may give multiple solutions here and we can easy find out during a call, which is the best for you.

    Let me know.

    Kind Regards,

    Tobias


  • AyAk
    AyAk Posts: 5
    Hello, I think it's a good idea to contact by email.
    Do you know my email?
    Thank you

Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!