USG220 and policy routes to S2S VPN tunnel

Wojtas
Wojtas Posts: 49  Freshman Member
edited April 2021 in Security
Hi!

I have a strange case. I need to use RADIUS  server for L2TP authentication but RADIUS is in a cloud environment and communication to it is going through the S2S VPN tunnel. S2S use VTI with IP  eg. 169.254.222.222. Radius' IP is 10.111.111.111, and my LAN pool is 192.168.0.0/16. Communication from LAN to the cloud environment works perfect, but when Zywall sending packages L2TP authentication is using VTI interface and source IP is 169.254.222.222, and cloud environment cannot route those packages. So  I need to force Zywall to use LAN1 as a source when it is sending packages to Radius.

I did a lot of testing routing policies but communication never started working. Do you have some ideas how to achieve it?

All Replies

  • Zyxel_Tobias
    Zyxel_Tobias Posts: 194  Zyxel Employee
    Hi Wojtas,

    may SNAT is a solution for that?

    https://support.zyxel.eu/hc/en-us/articles/360001378633-How-to-setup-SNAT-in-a-VPN-tunnel

    it´s just an idea, I didn´t test it due to your use-case is not that standard.

    Otherwise I still think Radius Cloud Server should acceppt USG network and a routing back to it.

    Kind Regards,

    Tobias
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    No, when I have VPN configuration binded to VPN tunnel interface (vti0) I can't use SNAT in VPN configuration. I tried to use Polisy Route but when I selected the incoming ZyWALL then I couldn't set up SNAT.
  • Zyxel_Vic
    Zyxel_Vic Posts: 263  Zyxel Employee
    Hi @Wojtas
    Would you share your device remote access to us and let us know what  your RADIUS server IP server is in private message?
    We may help to check on it remotely.
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    edited March 2021
    Hi @Zyxel_Vic

    Sorry but for security reasons I can't

Security Highlight