IPSec all traffic through VPN

Dear Community
I've lost now a week trying to solve this and I'm getting frustrated. As our IT supporter has left us standing in the rain, I got the honour to setup our IT infrastructure as the only "under 40" in the team...
The problem:
Once connected, I want to send all the traffic through the tunnel, which is handled by a Zyxel VPN100, basically what the built-in IPSec over L2TP of Windows does. Unfortunately, Windows does not support a higher authentication than SHA-1 which is too low for our needs. So I've setup the gateway (including EAP) and the VPN connection with the policy not configured as a LAN SUBNET but as an IP range from 0.0.0.0 to 255.255.255.255 and the traffic through WAN allowed.
When I configured the ZyWall IPSec VPN Client, the connection is established and everything works like a charm with one little flaw: The gateway gives the client for each reconnect a new vpn client address which makes windows recognize it as a new network connection and ramping up the network connection numbers.

Disabling the auto configuration from the gateway and manually assigning an IP address breaks the VPN and no traffic goes out at all. Is there an easy way to solve this? Basically what I think would help is to have a user based IP assignment from the server so Windows would only complain once.

Sorry if this is a silly question, I am not an expert on VPN. And big thanks for any support or hint!

Accepted Solution

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,002
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 500 Comments
     Guru Member
    Answer ✓
    Hi @nuke_guy,

    Untick "Request configuration from gateway" in IPSec VPN client, and set a static IP within VPN IP address pool. Windows does not pop up message for new network connection every time.
    Please keep the VPN phase 2 configuration payload enable, and just untick "Request configuration from gateway" in IPSec VPN client. 

All Replies

  • mMontana
    mMontana Posts: 859
    25 Answers 500 Comments Friend Collector Third Anniversary
     Guru Member
    Hi @nuke_guy (please don't blow up ;) ).
    I am quite confused about some details...

    Into the first part of your post, you refer to L2TP connection. Then you talk about ZyWall IPSec VPN client.
    Am I correct supposing that now the question is about ZyWall IPSec VPN client? Which version are you using?

    Also... why use a such large Subnet (0.0.0.0 / 255.255.255.255) for the VPN connections? IMVHO the subnet should be a reasonable sized one and push the route to 0.0.0.0 through the VPN connection using the VPN client...
  • Hi @mMontana, thanks for your quick response (don't worry, it needs a lot more for me to blow up ;) )

    You are right, the question is related to the IPSec VPN (Client). I forgot to mention that I already have tried to route to 0.0.0.0 which is also working, but does not change the fact that the given IP address to the client is chosen arbitrary with the first free IP address in the pool, no matter who connects.

    I try to explain it a bit more in detail: I log in with my user credentials, I get the IP address 20.15.1.101. Windows pops up and asks me, if I want to allow sharing in this new network (which is then called network 2), so far so good. I do a quick reconnect in the client and my new address is 20.15.1.102 with windows again welcoming me to the new network 3 and so on and so forth. Me personally, I don't mind but after all the training of my colleagues to not just click on popups and messages without using their brain first (aka call the young IT guy), now telling them to ignore a Windows message would kind of destroy it all :p

    Again, sorry for the bad description, it is my first VPN I'm trying to setup here.

  • mMontana
    mMontana Posts: 859
    25 Answers 500 Comments Friend Collector Third Anniversary
     Guru Member
    IMVHO 0.0.0.0/255.255.255.255 should never be the subnet of a VPN Connection.
    How many IPSec clients you are expecting to have?
  • nuke_guy
    nuke_guy Posts: 4
    Friend Collector
    edited November 2021

    At phase 2, it states:
    • Scroll down to the Policy option and set the Local Policy accordingly.  To create a split tunnel and only give access to the local ZLD network use the "LAN1_SUBNET" address object.  To force all traffic through the VPN connection, create an address object with a subnet of 0.0.0.0/0.0.0.0 and select this address object for the local policy.
    Is that not the way to do? I did not manage to force all traffic through the tunnel otherwise. We will need around 10 IPSec clients and the IP range is set accordingly.

    In the mean time, I might have found the issue with Windows. The IPv4 settings of the TGB No Tunnel and the TGB IPSec network adapter were not set to obtain the IP address and the DNS Server automatically, but manually with no input. Switching to auto, the network adapter number still changes but Windows is not complaining anymore. Not sure if this was the right way to do it though.
    I take it back.

  • Thanks a lot for your help. I tried your suggestion already before, but I forgot to manually set a DNS server in the "Advanced" tab in the Zywall. Your command window invited me to ping some external servers which I could but I was not able to open them in the browser. For some reason, the DNS server was not transferred when I retrieved the config from the server.
    Now everything works as it should =) Big thanks again for that!

    Take care and have a nice day everyone!

Security Highlight