IPSec or L2TP/IPsec successfully established, but the USG admin GUI is unusable

sirivanhoe
sirivanhoe Posts: 18  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security
HI,

I'm facing a very weird problem for the first time using several vendors firewall appliances. I've just deployed an USG60 behind a NAT model/router, opened port forwarding as required and configured IPSec VPN (Remote Access) to securely access the firewall from the internet using my MacBook and IPSecuritas client.

Testing the connection with my Mac connected to my mobile phone via tethering, I can see the tunnel correctly established (on the NAT modem/router I see proper logs, on the USG I see proper logs) and I can successfully reach the USG GUI login page pretty smoothly. But once I submit my credentials and I've been successfully authenticated, the navigation in the admin GUI gets incredibly slow, so much that it's actually useless.

If by converse I access via OpenVPN to a machine behind the USG (on its LAN) and from there I access the USG GUI, then everything works flawlessly as expected (just the same moment, the same machine, the same mobile phone, position and connection). Switching forth and back between IPSec on USG and OpenVPN on another server behind it produces consistent results: IPSec unusable, OpenVPN ok.

I can't figure what the problem might be. I've been modifying and relaxing the VPN configuration (e.g. weaker encryption) and even switched config to L2TP/IPsec using the native Mac OS client, getting the very same result nonetheless.

It should be noted that in the past weeks I've been using the same setup (MacBook and IPSecuritas with the same IPSec phase1/phase2 configs) on a much smaller Watchguard XTM and an older SonicWALL TZ series, and I got no problems (tunnel up, firewall GUI administration usable as expected).

I should say that I'm using Firmware Version:V4.30(AAKY.0) / 2017-11-23 21:17:51

Any hint would be greatly appreciated.

Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    @sirivanhoe

    For this case,

    Can you help to add a static route for L2TP traffic and check it again?

    Add the static route:

    Example:

    Destination                               Next Hop
    192.168.100.0 (L2TP pool)        lan1 (USG lan site that client trying to access)

    255.255.255.0


    Charlie

  • sirivanhoe
    sirivanhoe Posts: 18  Freshman Member
    First Anniversary Friend Collector First Comment
    edited February 2018
    Thanks for paying attention to this Charlie.

    No, unfortunately it didn't help. Indeed, it looks that the problem is not of a mere routing, since at first I can easily (quickly indeed) reach the login page of the USG GUI. It's once I'm authenticated (and I do, I can see it in the logs apart from seeing the login page disappear in the transition to the initial Status page once logged in), that it slows down becoming unusable (i.e. it takes forever getting to the above mentioned initial Status page of the appliance).

    In case it might turn out helpful, I've just performed a further test. For a few moments I've published on the Internet (via NAT port forwarding on the modem/router) the HTTPS management port of the ZyWALL, and I got the expected proper result: I can reach and "use" the admin GUI of the USG normally, as I can via the OpenVPN. Yet, the problem of course persists if accessing via IPSec established on the USG.
  • [Deleted User]
    [Deleted User] Posts: 118  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Dear @sirivanhoe

    Can you tick this box and check again?


  • sirivanhoe
    sirivanhoe Posts: 18  Freshman Member
    First Anniversary Friend Collector First Comment
    edited February 2018
    That was it Mark !

    Thanks a lot not only for your attention, but since you got it right and solved my problem, the admin GUI is now fully usable via IPSec as well.

    Thanks again.
    Peppe

Security Highlight