L2TP remote user on Private LAN?
I'm having issues getting a L2TP VPN setup to my ZyWALL USG 300, and I just saw this note in one of my manuals:
"At the time of writing the L2TP remote user must have a public IP address in order for L2TP VPN to work (the remote user cannot be behind a NAT router or a firewall)."
Is this still the case? - If so, that means L2TP is not really suited for users working from home, as they will all be behind router.
What's the best solution for those?
All Replies
-
Hi KINGOLE if your scenario is something like:
- USG300 with WAN1 to ISP and WAN2 ISP2 etc etc etc to other upstream and
- you want to access from a CLIENT on any local LANxx (phone, mac, pc etc)
Then this will still work ok as long as the public hostnames in 1. above can be resolved by the VPN client in 2.
Example:
- WAN2 - public host kingoletest001.ddns.net (set in USG200 DDNS)
- your LAN clients O/S can resolve the host "kingoletest001.ddns.net"
Just make sure the you have USG300 Policy Routes and Security policy to allow local LANxx clients and their subsequent L2TP IP's to access other internal routes.
If you require Client to site VPN access from other private LANs to the USG300 (for testing for example)., simply
- use another USG300 PORT and
- built an IKE Phase1/Phase2 Remote Site-Client on that USG300 port (WANx, OPTx etc) and
- set a LOCAL DNS AAA record for it so the your internal LAN Client can find it with VPN Client software.
- this is how we test some stuff ...
Working from home?
do you mean the the CLIENT's L2TP VPN mac/pc/phone is on a home router on a usual NAT?
If so then this is the scenario for most L2TP users. your local NAT is problematic with Windows O/S built IN VPN client ONLY if the USG300 itself at the remote site is on a NAT I understand. Then you'll have to perserve with the local WINDOWS 10 registry and some value to pass it though the other end.. may it's this value..AssumeUDPEncapsulationContextOnSendRule ..(1 or 2) -- see the inter webs for this.
Summary:
the standard L2TP VPN with a pre-shared key (PSK) is straight forward to set up with most OS's ( MAcOS. Linux, freebsd/ windows etc and various inbuilt and 3rd party VPN clients ) ... there are tonnes of easy to follow documentation for this and the ZYxel USG appliances.
HTH
Warwick
Hong Kong
0 -
Thanks Warwick. I'll have to warn you that I have not messed with VPN/IPSEC etc. for a very long time, hence the reason that I followed the steps in the ZyXEL user guide.
There will be no phones involved, strictly data.
I have a LAN at work with shared folders which people store relevant documents in.
I have people working from home who would need to be able to access those shared folders.
Basically all home users sits behind the router that was provided to them by their ISP, so they will be on a 10.x.x.x or 192.168.x.x network.
My ZyWALL has only one WAN connection, which is on g2. I use IP address instead of hostname, so no need to look up anything.
I have tried this multiple times, gone over every step. I've even uninstalled the virus protection on my Windows client and disable its firewall, but it just won't work.
I'm sure it's something simple, but I'm not an experienced security guru, so not sure what to look for.
My plan is to read up on this, starting by retaking my CCNA and then going on to CCNA-Security, but my problem is I need to set this up now.
If you know of a link to good documentation/videos, those would be much appreciated.
Thanks,
Ole
1 -
Hi @KINGOLE
Here is the example of setting up L2TP VPN,
VPN Gateway settings
VPN Connection settings
L2TP VPN settings
If your device is behind a NAT router, after setup VPN settings, it need to do NAT settings on router above our device, it have to forward related port of L2TP on the router.
0 -
Thanks Jerry,
I'll compare the settings to the ones I have from the steps specified in the ZyWall User Guide, but at first glance, everything looks pretty much like I recall having it setup.
This is for people at home connecting to my shared folders on our LAN, and they will all be behind an Xfinity or AT&T router on their own little LAN, and none of them will know how to configure their router at home.
Is L2TP not the solution I'm looking for, or?
Thanks.
0 -
The VPN gateway Proposal in order can be
3DES----SHA1
AES128---SHA1
The VPN connection Proposal in order can be
AES256----SHA1
3DES------SHA1
You will need firewall rules
WAN/OPT to ZyWALL---- service VPN_IPSEC (ESP, IKE, L2TP-UDP and NATT)
and zone for the VPN
IPSec_VPN to ZyWALL----service VPN_IPSEC (ESP, IKE, L2TP-UDP and NATT)
0 -
Hi @KINGOLE
Yes, you can use L2TP VPN to achieve your purpose.
If the router above your sharefolder is behind a NAT router,
it need to setup port forwarding on the NAT router , here is the related scenario of L2TP VPN behind nat router
https://businessforum.zyxel.com/discussion/878/usg-110-l2tp-vpn-behind-companion-nat-firewall
0
Ally Member
Zyxel Employee
Guru Member
Categories
- All Categories
- 398 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 83 Nebula Status and Incidents
- 5.2K Security
- 99 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 923 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 212 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.1K FAQ
- 1K Nebula FAQ
- 445 Security FAQ
- 238 Switch FAQ
- 213 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 142 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
