USG20-VPN - VPN Configuration problem

Luca83
Luca83 Posts: 3  Freshman Member
First Comment
edited April 2021 in Security
Good morning everyone.
I've been trying to configure my USG20-VPN for remote access for a while now but I keep bumping in a very strange problem. Hopefully someone will be able to help me.
The configuration that I'm trying to achieve is the most basic: I simply want to access our internal network from outside.



Following is the configuration I'm currently using: 


Here's the weird part (to me at least): no matter what I do, even though the connection is estabilished, the IP assigned to the client is always 10.10.10.10.
This IP is not configured anywhere in the IPs and Ranges of the firewall, so I have no idea where it gets picked.




What is even more weird is that the firewall seems to assign an IP address in the range I would like (e.g. 192.168.200.x), but then I have no idea where it gets lost and replaced by this 10.10.10.10.



Firmware revision is V4.20 

Any help would be highly appreciated. 
Thanks

Luca

Comments

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    The Zyxel IPsec client only support pure IPSec.
    But the rule you configured on USG is L2TP/IPSec.

  • Luca83
    Luca83 Posts: 3  Freshman Member
    First Comment
    Thank you so much! Now I can successfully estabilish a connection and get an IP in the range!

    Would you be so kind as to hint me on how I should configure routing so that I can reach my internal network from there?
  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    By default, you don't need to add routing on USG or VPn client.

    The routing is auto add into dynamic VPN routing table on USG after VPN client connected.


    And the Zyxel IPSec client is based on the Remote LAN address setting to forward traffic into tunnel.
    In your case is 192.168.1.0/255.255.255.0 and this need to same as Local Policy of the VPN connection rule on USG.



  • Luca83
    Luca83 Posts: 3  Freshman Member
    First Comment
    Thank you! It's all very clear now!
  • pow3r77
    pow3r77 Posts: 1  Freshman Member
    First Comment
    Luca83 said:
    Thank you! It's all very clear now!
    Hello Luca,
    I have your same problem, tunnel creation OK, but i can't ping nothing, and have addresso of my tunnel 10.10.10.10
    What you have do to solve the problem?
    Thanks in advance!
  • steve15f
    steve15f Posts: 16  Freshman Member
    First Comment Friend Collector
    Hi dear
    i've the same problem ... thanks
  • RapidEye_IT
    RapidEye_IT Posts: 8  Freshman Member
    First Answer First Comment Friend Collector First Anniversary
    This seems like a Double NAT situation. If your WAN interface is picking up "192.168.x.y" especially as a DHCP address that means that your WAN device is leasing a private internal network address effectively acting like its own router. I would address this with your WAN device configuration. Now, some WiFi modem combo boxes or modems provide basic DHCP and NAT functionality so that users may connect a switch to it and expand the network. But, since you have your own ZYXEL firewall to handle your NAT, you need to consult your internet service provider to assist you in switching your modem to bridged mode, whereby your public WAN IP will directly be leased to your ZYXEL on its WAN interface. You should not be see "192.168" on the WAN interface if you are attempting to anything from public to private through the internet.

Security Highlight