Inter Subnet Communication as VPN Client
Hi Everyone,
Hoping on your assistance, I am facing issue accessing server on same local network with Zyxel USG110.
I have configured L2TP VPN and using Windows BuiltIn Client, i am being able to connect to Zyxel VPN and also surf the internet. From client i can ping and access the Gateway which is Zyxel USG110, but no other resource on that Subnet.
To clarify bit more, VPN Clients are part of another Subnet ex. 192.168.120.0 while Zyxel local Subnet is 192.168.100.0
May someone assist me on what needs to be done for me to communicate with the local subnet.
Accepted Solution
-
Hi Agron simply use a Policy Routes : here's what you might consider to try with these prerequisites:
- Your L2TP pool 192.168.120.0/24 - has object name: L2TP_192-168-120-0_POOL
- the name of your IPSEC Connection is "your_L2TP_Connection"
- your local LAN (assume LAN1) is 192.168.100.0/24 : LAN1_SUBNET
- additional Security Policy Rules are needed.
Here's three (3) simple Policy routes that provide:
- LAN1_SUBNET access to --> L2TP_SUBNET (L2TP_192-168-120-0_POOL)
- allows ANY LAN1 host on 192.168.100.0/24 to address any L2TP connect client on 192.168.120.0/24
- L2TP_SUBNET (L2TP_192-168-120-0_POOL) --> to LAN1_SUBNET
- allows any L2TP connect client on 192.168.120.0/24 to access any host on LAN1 192.168.100.0/24
- and lastly L2TP_SUBNET ((L2TP_192-168-120-0_POOL) ) to another VPN client L2TP_SUBNET ((L2TP_192-168-120-0_POOL) .. if you want that
- allows routes any L2TP client to another L2TP client host.
Use the USG110 WEB UI at Configuration / Network /Policy Routes and add 1 & 2 and optionally 3.
The there Policy Routes can look like this: take the relevant values for your use.
1) LAN1_SUBNET access to --> L2TP_SUBNET (L2TP_192-168-120-0_POOL)
Router> show policy-route 8 index: 8 active: yes auto-disable: no description: LAN1_SUBNET_to_L2TP_SUBNET user: any schedule: none interface: lan1 tunnel: none sslvpn: none source: LAN1_SUBNET destination: L2TP_192-168-120-0_POOL DSCP code: any service: any srcport: any nexthop type: Tunnel nexthop: your_L2TP_Connection nexthop state: Not support auto destination: no SNAT: none DSCP marking: preserve connectivity-check: no
2) L2TP_SUBNET (L2TP_192-168-120-0_POOL) --> to LAN1_SUBNET
Router> show policy-route 10 index: 10 active: yes auto-disable: no description: L2TP_SUBNET_to_LAN1_SUBNET user: any schedule: none interface: none tunnel: your_L2TP_Connection sslvpn: none source: L2TP_192-168-120-0_POOL destination: LAN1_SUBNET DSCP code: any service: any srcport: any nexthop type: Auto nexthop: auto nexthop state: Not support auto destination: no SNAT: none DSCP marking: preserve connectivity-check: no
and lastly and optionally....
3) L2TP_SUBNET ((L2TP_192-168-120-0_POOL) ) to another VPN client L2TP_SUBNET ((L2TP_192-168-120-0_POOL)
index: 10 active: yes auto-disable: no description: L2TP_SUBNET_to_L2TP_SUBNET user: any schedule: none interface: none tunnel: your_L2TP_Connection sslvpn: none source: L2TP_192-168-120-0_POOL destination: L2TP_192-168-120-0_POOL DSCP code: any service: any srcport: any nexthop type: Tunnel nexthop: your_L2TP_Connection nexthop state: Not support auto destination: no SNAT: none DSCP marking: preserve connectivity-check: no
Summary, using this technique you may route very specific traffic not only between local subnets (LAN1, LAN1, L2P_VPN) but also VTI site -to-site IPSEC tunnels and their associated VPN_L2TP subnets.
It's most flexible.
Policy Routes: The key here is NOT to be generic. Use specific sources and destinations. The ZYxel ZYOS in these appliances is nice for creating Objects.
Security Policy: Make sure you add a (or more) Security Policy to allow from your local LAN1_SUBNET to your IPSEC Tunnel (and one for the reverse) .
Here's an example. Do one also for vice versa:
Router> show secure-policy 11 secure-policy rule: 11 name: LAN1_SUBPOOL_to_L2TP_SUBPOOL description: LAN1_SUBPOOL_to_L2TP_SUBPOOL user: any, schedule: none from: LAN1, to: TUNNEL source IP: LAN1_SUBNET, source port: any destination IP: any, service: any log: no, action: allow, status: yes connection match: no content-filter profile: none enable: no, log: by-profile anti-spam profile: none enable: no, log: by-profile anti-virus profile: none enable: no, log: by-profile idp profile: none enable: no, log: by-profile app-patrol profile: none enable: no, log: by-profile
HTH
Warwick
Hong Kong
1
All Replies
-
Hi Agron simply use a Policy Routes : here's what you might consider to try with these prerequisites:
- Your L2TP pool 192.168.120.0/24 - has object name: L2TP_192-168-120-0_POOL
- the name of your IPSEC Connection is "your_L2TP_Connection"
- your local LAN (assume LAN1) is 192.168.100.0/24 : LAN1_SUBNET
- additional Security Policy Rules are needed.
Here's three (3) simple Policy routes that provide:
- LAN1_SUBNET access to --> L2TP_SUBNET (L2TP_192-168-120-0_POOL)
- allows ANY LAN1 host on 192.168.100.0/24 to address any L2TP connect client on 192.168.120.0/24
- L2TP_SUBNET (L2TP_192-168-120-0_POOL) --> to LAN1_SUBNET
- allows any L2TP connect client on 192.168.120.0/24 to access any host on LAN1 192.168.100.0/24
- and lastly L2TP_SUBNET ((L2TP_192-168-120-0_POOL) ) to another VPN client L2TP_SUBNET ((L2TP_192-168-120-0_POOL) .. if you want that
- allows routes any L2TP client to another L2TP client host.
Use the USG110 WEB UI at Configuration / Network /Policy Routes and add 1 & 2 and optionally 3.
The there Policy Routes can look like this: take the relevant values for your use.
1) LAN1_SUBNET access to --> L2TP_SUBNET (L2TP_192-168-120-0_POOL)
Router> show policy-route 8 index: 8 active: yes auto-disable: no description: LAN1_SUBNET_to_L2TP_SUBNET user: any schedule: none interface: lan1 tunnel: none sslvpn: none source: LAN1_SUBNET destination: L2TP_192-168-120-0_POOL DSCP code: any service: any srcport: any nexthop type: Tunnel nexthop: your_L2TP_Connection nexthop state: Not support auto destination: no SNAT: none DSCP marking: preserve connectivity-check: no
2) L2TP_SUBNET (L2TP_192-168-120-0_POOL) --> to LAN1_SUBNET
Router> show policy-route 10 index: 10 active: yes auto-disable: no description: L2TP_SUBNET_to_LAN1_SUBNET user: any schedule: none interface: none tunnel: your_L2TP_Connection sslvpn: none source: L2TP_192-168-120-0_POOL destination: LAN1_SUBNET DSCP code: any service: any srcport: any nexthop type: Auto nexthop: auto nexthop state: Not support auto destination: no SNAT: none DSCP marking: preserve connectivity-check: no
and lastly and optionally....
3) L2TP_SUBNET ((L2TP_192-168-120-0_POOL) ) to another VPN client L2TP_SUBNET ((L2TP_192-168-120-0_POOL)
index: 10 active: yes auto-disable: no description: L2TP_SUBNET_to_L2TP_SUBNET user: any schedule: none interface: none tunnel: your_L2TP_Connection sslvpn: none source: L2TP_192-168-120-0_POOL destination: L2TP_192-168-120-0_POOL DSCP code: any service: any srcport: any nexthop type: Tunnel nexthop: your_L2TP_Connection nexthop state: Not support auto destination: no SNAT: none DSCP marking: preserve connectivity-check: no
Summary, using this technique you may route very specific traffic not only between local subnets (LAN1, LAN1, L2P_VPN) but also VTI site -to-site IPSEC tunnels and their associated VPN_L2TP subnets.
It's most flexible.
Policy Routes: The key here is NOT to be generic. Use specific sources and destinations. The ZYxel ZYOS in these appliances is nice for creating Objects.
Security Policy: Make sure you add a (or more) Security Policy to allow from your local LAN1_SUBNET to your IPSEC Tunnel (and one for the reverse) .
Here's an example. Do one also for vice versa:
Router> show secure-policy 11 secure-policy rule: 11 name: LAN1_SUBPOOL_to_L2TP_SUBPOOL description: LAN1_SUBPOOL_to_L2TP_SUBPOOL user: any, schedule: none from: LAN1, to: TUNNEL source IP: LAN1_SUBNET, source port: any destination IP: any, service: any log: no, action: allow, status: yes connection match: no content-filter profile: none enable: no, log: by-profile anti-spam profile: none enable: no, log: by-profile anti-virus profile: none enable: no, log: by-profile idp profile: none enable: no, log: by-profile app-patrol profile: none enable: no, log: by-profile
HTH
Warwick
Hong Kong
1 -
Hi Warwick,
Your detailed explanation has not only solved my issue, but also saved me many hours of research for solution.
Thank you and highly appreciate your assistance.
Sincerely
Agron
1 -
Hi good afternoon
I try to do the VPN between Zyxel and my PC but i cant, can you help me please
I cant see the option tunnel or i dont know how to do.
i have this error.
thanks for your help.
0 -
Hi @jhonplanet
Did you create an account named "root" to access the device? The system shouldn't allow the account "root" to be configured on the device since it's a reserved account. How about when using another user account? Can establish the VPN tunnel by using another user account?
0 -
Hello all, this is my first time on, so please be gentle. This coronavirus thing has pushed my into a corner and I need help:
I have 4 offices connected via a VPN Mesh, the main office in Little Rock houses a brand new VPN300. The 4 offices have IP plans of 192.168.0.0 (LR), 192.168.1.0 (FV), 192.168.3.0 (BR), and 192.168.4.0 (CH), The Little Rock(LR) office had it's old TPLINK VPN replaced with a VPN300.
I was able to create the Site-to-site gateways and connections and have all the offices connected, routed, and working.
I also created a remote user dial-in plan that authenticates via LDAP. That connection works fine for any user and I can access anything in the local 192.168.0.0 network where the VPN300 is connected. Despite my efforts, I can not figure out how to take a dial-in user, who can access any of the local LR office and route them to see the other offices. PC's connected in the LR office route through the VPN300 to the other offices without an issue.
We're loosing people bit time to working and home and I can not accommodate them
I really need help!!!!
0 -
Hi @Froydor
Welcome to Zyxel community
Regarding to the topology you deployed, it’s our suggestion that you can implement VPN Concentrator to achieve the purpose.
Here is the example settings of VPN Concentrator
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015538&lang=EN
Here is the reference discussion about VPN Concentrator
https://businessforum.zyxel.com/discussion/1975/cant-add-ipsec-with-dinamyc-peer-gw-in-concentrator
0 -
Hi Froydor would you post a new thread for this?
I'd suggest you either use OSPF or Policy Routes to do what you want over VTI . This is easy and works well.
Additionally the use of various local DNS's also works I'm this way.
open a new post up rather than opting on this as people may confuse the OP's issue with yours.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight