Inter Subnet Communication as VPN Client

Agron
Agron Posts: 5  Freshman Member
First Comment First Anniversary
edited April 2021 in Security

Hi Everyone,

Hoping on your assistance, I am facing issue accessing server on same local network with Zyxel USG110.

I have configured L2TP VPN and using Windows BuiltIn Client, i am being able to connect to Zyxel VPN and also surf the internet. From client i can ping and access the Gateway which is Zyxel USG110, but no other resource on that Subnet.

To clarify bit more, VPN Clients are part of another Subnet ex. 192.168.120.0 while Zyxel local Subnet is 192.168.100.0

May someone assist me on what needs to be done for me to communicate with the local subnet.

Accepted Solution

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    Answer ✓

    Hi Agron simply use a Policy Routes : here's what you might consider to try with these prerequisites:

    • Your L2TP pool 192.168.120.0/24 - has object name: L2TP_192-168-120-0_POOL
    • the name of your IPSEC Connection is "your_L2TP_Connection"
    • your local LAN (assume LAN1) is 192.168.100.0/24 : LAN1_SUBNET
    • additional Security Policy Rules are needed.

    Here's three (3) simple Policy routes that provide:

    1. LAN1_SUBNET access to --> L2TP_SUBNET (L2TP_192-168-120-0_POOL)
      1. allows ANY LAN1 host on 192.168.100.0/24 to address any L2TP connect client on 192.168.120.0/24
    2. L2TP_SUBNET (L2TP_192-168-120-0_POOL) --> to LAN1_SUBNET
      1. allows any L2TP connect client on 192.168.120.0/24 to access any host on LAN1 192.168.100.0/24
    3. and lastly L2TP_SUBNET ((L2TP_192-168-120-0_POOL) ) to another VPN client L2TP_SUBNET ((L2TP_192-168-120-0_POOL) .. if you want that
      1. allows routes any L2TP client to another L2TP client host.

    Use the USG110 WEB UI at Configuration / Network /Policy Routes and add 1 & 2 and optionally 3.

    The there Policy Routes can look like this: take the relevant values for your use.

    1) LAN1_SUBNET access to --> L2TP_SUBNET (L2TP_192-168-120-0_POOL)
    Router> show policy-route 8
    index: 8
     
    active: yes
     auto-disable: no
     description: LAN1_SUBNET_to_L2TP_SUBNET
     user: any
     schedule: none
     interface: lan1
     tunnel: none
     sslvpn: none
     source: LAN1_SUBNET
     destination: L2TP_192-168-120-0_POOL
     DSCP code: any
     service: any
     srcport: any
     nexthop type: Tunnel
     nexthop: your_L2TP_Connection
     nexthop state: Not support
     auto destination: no
     SNAT: none
     DSCP marking: preserve
     connectivity-check: no
    

    2) L2TP_SUBNET (L2TP_192-168-120-0_POOL) --> to LAN1_SUBNET 

    Router> show policy-route 10
    index: 10
    
    active: yes
     auto-disable: no
     description: L2TP_SUBNET_to_LAN1_SUBNET
     user: any
     schedule: none
     interface: none
     tunnel: your_L2TP_Connection
     sslvpn: none
     source: L2TP_192-168-120-0_POOL
     destination: LAN1_SUBNET
     DSCP code: any
     service: any
     srcport: any
     nexthop type: Auto
     nexthop: auto
     nexthop state: Not support
     auto destination: no
     SNAT: none
     DSCP marking: preserve
     connectivity-check: no
    

    and lastly and optionally....

    3) L2TP_SUBNET ((L2TP_192-168-120-0_POOL) ) to another VPN client L2TP_SUBNET ((L2TP_192-168-120-0_POOL)
    index: 10
     active: yes
     auto-disable: no
     description: L2TP_SUBNET_to_L2TP_SUBNET
     user: any
     schedule: none
     interface: none
     tunnel: your_L2TP_Connection
     sslvpn: none
     source: L2TP_192-168-120-0_POOL
     destination: L2TP_192-168-120-0_POOL
     DSCP code: any
     service: any
     srcport: any
     nexthop type: Tunnel
     nexthop: your_L2TP_Connection
     nexthop state: Not support
     auto destination: no
     SNAT: none
     DSCP marking: preserve
     connectivity-check: no
    

    Summary, using this technique you may route very specific traffic not only between local subnets (LAN1, LAN1, L2P_VPN) but also VTI site -to-site IPSEC tunnels and their associated VPN_L2TP subnets.

    It's most flexible.

    Policy Routes: The key here is NOT to be generic. Use specific sources and destinations. The ZYxel ZYOS in these appliances is nice for creating Objects.

    Security Policy: Make sure you add a (or more) Security Policy to allow from your local LAN1_SUBNET to your IPSEC Tunnel (and one for the reverse) .

    Here's an example. Do one also for vice versa:

    Router> show secure-policy 11
    secure-policy rule: 11
    
    
     name: LAN1_SUBPOOL_to_L2TP_SUBPOOL
     description: LAN1_SUBPOOL_to_L2TP_SUBPOOL
     user: any, schedule: none
     from: LAN1, to: TUNNEL
     source IP: LAN1_SUBNET, source port: any
     destination IP: any, service: any
     log: no, action: allow, status: yes
     connection match: no
     content-filter profile: none
             enable: no, log: by-profile
     anti-spam   profile: none
             enable: no, log: by-profile
     anti-virus  profile: none
             enable: no, log: by-profile
     idp      profile: none
             enable: no, log: by-profile
     app-patrol  profile: none
             enable: no, log: by-profile
    

    HTH

    Warwick

    Hong Kong

All Replies

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    Answer ✓

    Hi Agron simply use a Policy Routes : here's what you might consider to try with these prerequisites:

    • Your L2TP pool 192.168.120.0/24 - has object name: L2TP_192-168-120-0_POOL
    • the name of your IPSEC Connection is "your_L2TP_Connection"
    • your local LAN (assume LAN1) is 192.168.100.0/24 : LAN1_SUBNET
    • additional Security Policy Rules are needed.

    Here's three (3) simple Policy routes that provide:

    1. LAN1_SUBNET access to --> L2TP_SUBNET (L2TP_192-168-120-0_POOL)
      1. allows ANY LAN1 host on 192.168.100.0/24 to address any L2TP connect client on 192.168.120.0/24
    2. L2TP_SUBNET (L2TP_192-168-120-0_POOL) --> to LAN1_SUBNET
      1. allows any L2TP connect client on 192.168.120.0/24 to access any host on LAN1 192.168.100.0/24
    3. and lastly L2TP_SUBNET ((L2TP_192-168-120-0_POOL) ) to another VPN client L2TP_SUBNET ((L2TP_192-168-120-0_POOL) .. if you want that
      1. allows routes any L2TP client to another L2TP client host.

    Use the USG110 WEB UI at Configuration / Network /Policy Routes and add 1 & 2 and optionally 3.

    The there Policy Routes can look like this: take the relevant values for your use.

    1) LAN1_SUBNET access to --> L2TP_SUBNET (L2TP_192-168-120-0_POOL)
    Router> show policy-route 8
    index: 8
     
    active: yes
     auto-disable: no
     description: LAN1_SUBNET_to_L2TP_SUBNET
     user: any
     schedule: none
     interface: lan1
     tunnel: none
     sslvpn: none
     source: LAN1_SUBNET
     destination: L2TP_192-168-120-0_POOL
     DSCP code: any
     service: any
     srcport: any
     nexthop type: Tunnel
     nexthop: your_L2TP_Connection
     nexthop state: Not support
     auto destination: no
     SNAT: none
     DSCP marking: preserve
     connectivity-check: no
    

    2) L2TP_SUBNET (L2TP_192-168-120-0_POOL) --> to LAN1_SUBNET 

    Router> show policy-route 10
    index: 10
    
    active: yes
     auto-disable: no
     description: L2TP_SUBNET_to_LAN1_SUBNET
     user: any
     schedule: none
     interface: none
     tunnel: your_L2TP_Connection
     sslvpn: none
     source: L2TP_192-168-120-0_POOL
     destination: LAN1_SUBNET
     DSCP code: any
     service: any
     srcport: any
     nexthop type: Auto
     nexthop: auto
     nexthop state: Not support
     auto destination: no
     SNAT: none
     DSCP marking: preserve
     connectivity-check: no
    

    and lastly and optionally....

    3) L2TP_SUBNET ((L2TP_192-168-120-0_POOL) ) to another VPN client L2TP_SUBNET ((L2TP_192-168-120-0_POOL)
    index: 10
     active: yes
     auto-disable: no
     description: L2TP_SUBNET_to_L2TP_SUBNET
     user: any
     schedule: none
     interface: none
     tunnel: your_L2TP_Connection
     sslvpn: none
     source: L2TP_192-168-120-0_POOL
     destination: L2TP_192-168-120-0_POOL
     DSCP code: any
     service: any
     srcport: any
     nexthop type: Tunnel
     nexthop: your_L2TP_Connection
     nexthop state: Not support
     auto destination: no
     SNAT: none
     DSCP marking: preserve
     connectivity-check: no
    

    Summary, using this technique you may route very specific traffic not only between local subnets (LAN1, LAN1, L2P_VPN) but also VTI site -to-site IPSEC tunnels and their associated VPN_L2TP subnets.

    It's most flexible.

    Policy Routes: The key here is NOT to be generic. Use specific sources and destinations. The ZYxel ZYOS in these appliances is nice for creating Objects.

    Security Policy: Make sure you add a (or more) Security Policy to allow from your local LAN1_SUBNET to your IPSEC Tunnel (and one for the reverse) .

    Here's an example. Do one also for vice versa:

    Router> show secure-policy 11
    secure-policy rule: 11
    
    
     name: LAN1_SUBPOOL_to_L2TP_SUBPOOL
     description: LAN1_SUBPOOL_to_L2TP_SUBPOOL
     user: any, schedule: none
     from: LAN1, to: TUNNEL
     source IP: LAN1_SUBNET, source port: any
     destination IP: any, service: any
     log: no, action: allow, status: yes
     connection match: no
     content-filter profile: none
             enable: no, log: by-profile
     anti-spam   profile: none
             enable: no, log: by-profile
     anti-virus  profile: none
             enable: no, log: by-profile
     idp      profile: none
             enable: no, log: by-profile
     app-patrol  profile: none
             enable: no, log: by-profile
    

    HTH

    Warwick

    Hong Kong

  • Agron
    Agron Posts: 5  Freshman Member
    First Comment First Anniversary

    Hi Warwick,

    Your detailed explanation has not only solved my issue, but also saved me many hours of research for solution.


    Thank you and highly appreciate your assistance.

    Sincerely

    Agron

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Hi Agron I'm glad it helped.

    All the best mate!

    Warwick

    Hong Kong

  • jhonplanet
    jhonplanet Posts: 2  Freshman Member
    First Comment

    Hi good afternoon

    I try to do the VPN between Zyxel and my PC but i cant, can you help me please

    I cant see the option tunnel or i dont know how to do.

    i have this error.

    thanks for your help.


  • Zyxel_Vic
    Zyxel_Vic Posts: 282  Zyxel Employee
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @jhonplanet

    Did you create an account named "root" to access the device? The system shouldn't allow the account "root" to be configured on the device since it's a reserved account. How about when using another user account? Can establish the VPN tunnel by using another user account?

  • Froydor
    Froydor Posts: 6  Freshman Member
    First Comment First Anniversary

    Hello all, this is my first time on, so please be gentle. This coronavirus thing has pushed my into a corner and I need help:

    I have 4 offices connected via a VPN Mesh, the main office in Little Rock houses a brand new VPN300. The 4 offices have IP plans of 192.168.0.0 (LR), 192.168.1.0 (FV), 192.168.3.0 (BR), and 192.168.4.0 (CH), The Little Rock(LR) office had it's old TPLINK VPN replaced with a VPN300.

    I was able to create the Site-to-site gateways and connections and have all the offices connected, routed, and working.

    I also created a remote user dial-in plan that authenticates via LDAP. That connection works fine for any user and I can access anything in the local 192.168.0.0 network where the VPN300 is connected. Despite my efforts, I can not figure out how to take a dial-in user, who can access any of the local LR office and route them to see the other offices. PC's connected in the LR office route through the VPN300 to the other offices without an issue.

    We're loosing people bit time to working and home and I can not accommodate them

    I really need help!!!!

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,298  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    Hi @Froydor

    Welcome to Zyxel community

    Regarding to the topology you deployed, it’s our suggestion that you can implement VPN Concentrator to achieve the purpose.

    Here is the example settings of VPN Concentrator

    https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015538&lang=EN

    Here is the reference discussion about VPN Concentrator

    https://businessforum.zyxel.com/discussion/3589/usg60-problem-forwarding-traffic-to-branch-site-server-after-client-established-vpn-tunnel

    https://businessforum.zyxel.com/discussion/1975/cant-add-ipsec-with-dinamyc-peer-gw-in-concentrator

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Hi Froydor would you post a new thread for this?

    I'd suggest you either use OSPF or Policy Routes to do what you want over VTI . This is easy and works well.

    Additionally the use of various local DNS's also works I'm this way.


    open a new post up rather than opting on this as people may confuse the OP's issue with yours.

Security Highlight