L2TP/IPsec - problem on one of two WANs

Lukas
Lukas Posts: 13  Freshman Member
First Comment Friend Collector First Anniversary
edited April 2021 in Security
Hello,
I have L2TP over IPsec connection working on WAN 1 connection with public IP address. Now I have new WAN 2 connection which uses different ISP. This new WAN connection gous through WTTx modem, which has 1:1 NAT (WAN 2 is connected to the DMZ port on the WTTx modem).

Now I have created new VPN gateway and VPN connection in ZyWALL USG 50 with same settings as for the first WAN connection, except that the WAN 1 IP is changed to WAN 2 IP (not public IP, but the IP that the WAN 2 interface is set to connect to the WTTx modem).

The problem is, that VPN connections thgrough this new WAN 2 is not working. When I try to connect, the IKE log always contains "Phase 2 Local policy mismatch". Here is the screenshot of the log:



From another posts in this forum I assume, that the problem is in the VPN Connections settings because the WAN 2 IP address on ZyWALL is not the same as public IP address (it is behind the WTTx modem NAT)? If so, how to correctly setup this scenario?

Thank you very much for any help.

Accepted Solution

All Replies

  • Lukas
    Lukas Posts: 13  Freshman Member
    First Comment Friend Collector First Anniversary
    So after couple of hours I have managed to pass Phase 2, however after the IPsec tunnel is established (see log screenshot below), the Windows client is waiting for response and then ends with error, that the remote server does not respond. What to add or change to complete the VPN connection?

    Here se ZyWALL IKE log sceenshot:


    Here are the VPN configuration screenshots:


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @Lukas,

    ZyWALL USG 50 does not support L2TP server behind NAT.

    L2TP server behind NAT is supported since firmware version 4.11.

    You may consider USG60/USG110/ATP100/USG FLEX 100 which supports this scenario.


  • Lukas
    Lukas Posts: 13  Freshman Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Emily, thank you very much, this explains everything :smile:

    I plan to replace the ZyWALL USG 50 with ZyWALL 310. Can I expect the ZyWALL 310 with latest firmware (I think 4.39) will be able to handle L2TP behind NAT with the above configuration? 
  • Lukas
    Lukas Posts: 13  Freshman Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Emily,
    thank you for all the informations.

    This week I will test L2TP behind NAT on the ZyWALL 310 and I hope everything will work :smile:

  • Lukas
    Lukas Posts: 13  Freshman Member
    First Comment Friend Collector First Anniversary
    I have moved all configuration to the new ZyWALL 310 and voila, the new L2TP connetion behind the NAT is now working. Strange with is, that now this works even when I deacitvate the special NAT and firewall rule, but that is not a problem, of cource :smile:

    Thank you again very much @Zyxel_Emily :smiley:

Security Highlight