USG220 and policy routes to S2S VPN tunnel

Wojtas
Wojtas Posts: 49  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Hi!

I have a strange case. I need to use RADIUS  server for L2TP authentication but RADIUS is in a cloud environment and communication to it is going through the S2S VPN tunnel. S2S use VTI with IP  eg. 169.254.222.222. Radius' IP is 10.111.111.111, and my LAN pool is 192.168.0.0/16. Communication from LAN to the cloud environment works perfect, but when Zywall sending packages L2TP authentication is using VTI interface and source IP is 169.254.222.222, and cloud environment cannot route those packages. So  I need to force Zywall to use LAN1 as a source when it is sending packages to Radius.

I did a lot of testing routing policies but communication never started working. Do you have some ideas how to achieve it?

All Replies

  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi Wojtas,

    may SNAT is a solution for that?

    https://support.zyxel.eu/hc/en-us/articles/360001378633-How-to-setup-SNAT-in-a-VPN-tunnel

    it´s just an idea, I didn´t test it due to your use-case is not that standard.

    Otherwise I still think Radius Cloud Server should acceppt USG network and a routing back to it.

    Kind Regards,

    Tobias
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    No, when I have VPN configuration binded to VPN tunnel interface (vti0) I can't use SNAT in VPN configuration. I tried to use Polisy Route but when I selected the incoming ZyWALL then I couldn't set up SNAT.
  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Wojtas
    Would you share your device remote access to us and let us know what  your RADIUS server IP server is in private message?
    We may help to check on it remotely.
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    edited March 2021
    Hi @Zyxel_Vic

    Sorry but for security reasons I can't

Security Highlight