USG20(remote) No lan access over L2TP from my home network
Hi all,
first of all i am proud to be here.
This is my question.
I must configure a l2tp vpn for a client (remote vpn) with a USG20-W.
No problem at all i can connect to their VPN from everywhere.
But i have a problem accessing remote local network.
HOME(192.168.1.0) ->BBOX-> INTERNET -> LIVEBOX (192.168.1.1) -> USG20(192.168.1.2)
In this configuration i can't access remote LAN but vpn connect fine.
But in this configuration it works. Why ?
HOME(192.168.2.0) ->BBOX-> INTERNET -> LIVEBOX (192.168.1.1) -> USG20(192.168.1.2)
As you can see if i change my home network to anything other than 192.168.1.0. Here 192.168.2.0.
I can access remote lan.
I test it from iphone and osx (all traffic throught vpn).
Does i must enable or configure something else ?
Thanks
first of all i am proud to be here.
This is my question.
I must configure a l2tp vpn for a client (remote vpn) with a USG20-W.
No problem at all i can connect to their VPN from everywhere.
But i have a problem accessing remote local network.
HOME(192.168.1.0) ->BBOX-> INTERNET -> LIVEBOX (192.168.1.1) -> USG20(192.168.1.2)
In this configuration i can't access remote LAN but vpn connect fine.
But in this configuration it works. Why ?
HOME(192.168.2.0) ->BBOX-> INTERNET -> LIVEBOX (192.168.1.1) -> USG20(192.168.1.2)
As you can see if i change my home network to anything other than 192.168.1.0. Here 192.168.2.0.
I can access remote lan.
I test it from iphone and osx (all traffic throught vpn).
Does i must enable or configure something else ?
Thanks
0
Comments
-
HOME(192.168.1.0) ->BBOX-> INTERNET -> LIVEBOX (192.168.1.1) -> USG20(192.168.1.2)
The IP subnet of your Home is overlap with LAN of USG20.
So that the vpn client on Home network will not go into the tunnel to LAN of USG20.
To change either LAN subnet of USG20 or your Home subnet to another subnet (ex. 192.168.10.0/255.255.255.0) can solve the issue.
0 -
Hi thanks for your answer.
This is what i have understand but i cannot do that because i am not the network administrator, they just asking me to configure the vpn. So I can't change the network subnet on the remote side.
I can change subnet on my home side but the VPN is needed for VPN nomade users so they could encounter the same problem in another place they connect.
Did SNAT could be useful in this configuration ?0 -
It's not help with SNAT. The problem is the behavior of client's OS.
In general, direct connect subnet priority is higher than others.
The client will send out traffic to local(192.168.1.0) instead go into the tunnel.
DNAT could be one of the solution. Mapped the USG20 LAN to another subnet.
And the client connect to the mapped IP address instead of 192.168.1.0 subnet.
It works for IPSec VPN. But not sure if that works for L2TP/IPSec.
0 -
After some test, it works with DNAT in L2TP/IPSec tunnel.
Here the steps,
1.Create an address object of subnet to map to USG lan (192.168.1.0/24)
For example, I select 192.168.10.0/24 as the mapped address.
Go to Object > Address, add the address object.
2.Configure NAT in VPN connection rule of L2TP/IPsec
Go to VPN > IPSec VPN > VPN Connection page. Edit "WIZ_L2TP_VPN" rule(if the rule was
setup via VPN wizard).
(1) Click "Show Advenced Settings" on top of the pop-up window
(2) On the bottom of the page, enable "Destination NAT" of Inbound Traffic.
(3) Add DNAT rule,
Original IP: select address object created in step 1.
Mapped IP: select "LAN1_SUBNET" object
3. Dial-up VPN from remote client and access the LAN of USG20.
Access the 192.168.10.x IP address instead of the original USG20 LAN IP address 192.168.0.x
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.6K Security
- 240 USG FLEX H Series
- 268 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 386 News and Release
- 83 Security Advisories
- 28 Education Center
- 9 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 72 Security Highlight