How do I get a VPN so I can connect to my LAN from my iphone while out and about?

Hi all

USG60 unit here.  I've previously setup a OPEN VPN and PFSENSE to allow my to connect into my LAN and access web servers I have running internally.

How can I replicate this same functionality with the USG 60.  It seems I hae to use IPSEC and L2TP but all docs I can find talk about site to site setup. I don'tr see how this applies to my iphone / laptop.

i followed this guide http://www.zyxel.se/upload/doc/support/usg/iPhone Whitepaper.pdf

but it seems a little out of date and I get an error saying failed to connect.

any docs would be useful thanks
«1

All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2021

    How can I replicate this same functionality with the USG 60.  It seems I hae to use IPSEC and L2TP but all docs I can find talk about site to site setup. I don't see how this applies to my iphone / laptop.
    https://support.zyxel.eu/hc/en-us/articles/4401915685522-How-to-setup-L2TP-VPN-on-USG-ATP-VPN-device-without-Wizard-
    Setup on an already working USG60, so won't run into wizard.

    https://mysupport.zyxel.com/hc/en-us/articles/360005956820-Configure-L2TP-VPN-client-on-iOS
    How to configure L2TP connection on your iOS device. 2 years old, still fit the current versions (AFAIK for what i see few weeks ago).

    https://support.zyxel.eu/hc/en-us/articles/360003503440-L2TP-behind-NAT-on-a-Windows-client
    Don't forget this caveat for Windows... If your laptop is Redmond flavoured (instead of Cupertino sauce)
  • Argh. Thanks for your response. unfortunately I'm hitting the same issue. L2TP server failed to respond.

    Is it to do with my firewall settings ? Is there something else I need to activate ? 

    There appears to be a rule in the policy control to all IPSEC to all except Zywall and another rule for to Zywall

    I also tried on my mac book from iside network so dunno if that should work, but it also failed with server failed to respond. Seems my traffic is being blocked the VPN isn't being brought up at all

  • I've found some firewall rules bu I still cant get anything other than a failed to respond.  What firewall rules should I have ? I tried the ones here: http://www.iholken.com/index.php/2015/07/19/setup-vpn-l2tpipsec-tunnel-between-zywall-usg-and-windows-phone-8-1-or-iphoneipad/
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2021
    L2TP server failed to respond.

    Did you add the L2TP Service (1701 UDP) to the allowed group services to the list?
    Into my setup the rule is named WAN_To_Device, the service group is called Allow_WAN_To_Zywall.
    I don't remember if i had to manually create L2TP service into objects...

    Also, for L2TP/IPsec working IKE (UDP 500) and NATT (UDP 4500) must been allowed from WAN to USG/Zywall.
  • hi all these things are added to the wan to zywall rule in policies.   still not working.  I even checked the zyxel demo unit https://zylab.zyxel.eu/ext-js/index.html# and checked there.  I can't see what is wrong.  Think i;m gonna throw this junk out and get another firewall unless there something else I can try   I've been at it 2 days trying to make a simple VPN work. 
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    PEBKAC?
  • mMontana said:
    PEBKAC?
    i mean it could be but ive watched the videos read the guides and checked the online zyxel provided demo system.  I know pretty much every option and tick box and what it does.   I think the problem might be my isp is blocked the ports im not even getting hits in the firewall .   
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Is your USG60 place behind NAT router? If so, please follow the instructions to allow L2TP services on the NAT router.

    If wan IP address of USG60 is public IP, just follow the wizard to set up L2TP VPN on USG60.
    For iOS settings, please follow instructions in this guide.
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2021
    I think the problem might be my isp is blocked the ports im not even getting hits in the firewall .   

    This could happen if one of 500, 1701 and 4500 (if behind a NAT) UDP are blocked. If you have any other IPSec-capable you could check at least for 500 and 4500 (if behind a NAT) with a "temporary" Gateway and network...

    But if the ISP is the same of your previous device which had L2TP working... the theory does not stand that much.

    Troubleshooting L2TP connection on USG 4.x generation firmware is not "that" easy. I had to triple check severall times all the boxes, even if i had that working 10-15 devices. (And without any kind of wizard)

    Going back to USG60: verify that all protocols required (AH, ESP, IKE, NATT, L2TP) can reach from the ISP to the device, staring from the security policies.
  • OK.  another day, i think im close but still no cigar.

    I turned on logging for some things and I saw that it turns out I had a NAT rule that forwarded any to a server inside my network.  Doh!  So I changed this to just the service it needed which mean that the requests for the VPN suddenly handled correctly. and I could see the hits in the logs.

    But no luck with the LT2P ipsec settings... although I could hit the firewall not able to negotiate a communication.

    I read some more.  So I try IKEv2

    This seems to work for iphone you need AES256, SHA256, DH19 

    Also, In the iphone settings, set user auth to none, and it then asks for a secret -- this is the private key configured in the firewall settings.

    remote id is the server IP, and local id is the username ... password isn't required...

    Anyway It connects, negotiates and I get an entry in the log for the active ikev2 connection under vpn

    but it doesn't seem to pass any data, and I can't seem to access any thing i want, like my local lan.

    I have to give this connection an ip from my VPN POOL object so its getting address in 192.168.9.10-20   but I want to talk to servers in 192.168.0.xx range

    is there a route i need to add? 
    a firewall rule ? 

    some other settings? 

    I can post all the settings up if required, but maybe for IKEv2 I've missed something.

    Any all help appreciated

    thanks

Security Highlight