L2TP/IPsec - problem on one of two WANs
Freshman Member
I have L2TP over IPsec connection working on WAN 1 connection with public IP address. Now I have new WAN 2 connection which uses different ISP. This new WAN connection gous through WTTx modem, which has 1:1 NAT (WAN 2 is connected to the DMZ port on the WTTx modem).
Now I have created new VPN gateway and VPN connection in ZyWALL USG 50 with same settings as for the first WAN connection, except that the WAN 1 IP is changed to WAN 2 IP (not public IP, but the IP that the WAN 2 interface is set to connect to the WTTx modem).
The problem is, that VPN connections thgrough this new WAN 2 is not working. When I try to connect, the IKE log always contains "Phase 2 Local policy mismatch". Here is the screenshot of the log:
From another posts in this forum I assume, that the problem is in the VPN Connections settings because the WAN 2 IP address on ZyWALL is not the same as public IP address (it is behind the WTTx modem NAT)? If so, how to correctly setup this scenario?
Thank you very much for any help.
Accepted Solution
-
Hi @Lukas,
ZyWALL 310 supports L2TP server behind NAT router.
Here are three tips.
1. Add a NAT rule on the NAT router for L2TP services IKE, NATT and L2TP-UDP.
2. Add a firewall rule on the NAT router to allow L2TP services IKE, NATT and L2TP-UDP to the destination (ZyWALLL 310).
3. On ZyWALL 310, the local policy of VPN connection is the public IP address of the NAT router.
You can follow the steps in this FAQ.
5
Zyxel Employee
All Replies
-
So after couple of hours I have managed to pass Phase 2, however after the IPsec tunnel is established (see log screenshot below), the Windows client is waiting for response and then ends with error, that the remote server does not respond. What to add or change to complete the VPN connection?
Here se ZyWALL IKE log sceenshot:
Here are the VPN configuration screenshots:
0 -
Hi @Lukas,
ZyWALL USG 50 does not support L2TP server behind NAT.
L2TP server behind NAT is supported since firmware version 4.11.
You may consider USG60/USG110/ATP100/USG FLEX 100 which supports this scenario.
1 -
Hi @Zyxel_Emily, thank you very much, this explains everything
I plan to replace the ZyWALL USG 50 with ZyWALL 310. Can I expect the ZyWALL 310 with latest firmware (I think 4.39) will be able to handle L2TP behind NAT with the above configuration?1 -
Hi @Lukas,
ZyWALL 310 supports L2TP server behind NAT router.
Here are three tips.
1. Add a NAT rule on the NAT router for L2TP services IKE, NATT and L2TP-UDP.
2. Add a firewall rule on the NAT router to allow L2TP services IKE, NATT and L2TP-UDP to the destination (ZyWALLL 310).
3. On ZyWALL 310, the local policy of VPN connection is the public IP address of the NAT router.
You can follow the steps in this FAQ.
5 -
Hi @Zyxel_Emily,
thank you for all the informations.
This week I will test L2TP behind NAT on the ZyWALL 310 and I hope everything will work
1 -
I have moved all configuration to the new ZyWALL 310 and voila, the new L2TP connetion behind the NAT is now working. Strange with is, that now this works even when I deacitvate the special NAT and firewall rule, but that is not a problem, of cource
Thank you again very much @Zyxel_Emily
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 238 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
