create a L2TP VPN on the ZyWALL/USG

Hello,

I have a problem with configuring the l2tp VPN service on my Zyxel usg flex 100. I tried all the tutorials found on this site and youtube and had no success and string to find a solution for more than two weeks.

My Zyxel is behind an ISP router, and I add the Zyxel on DMZ. 

And I configured the Zyxel exactly the way showed on the tutorials, and my question is, when you add the ZyXEL on DMZ do I need to set nat from the ISP to Zyxel? 

The second question is, do I need to change rules on Services?
 

Thanks 

Accepted Solution

  • anno_t34
    anno_t34 Posts: 12  Freshman Member
    First Anniversary Friend Collector
    Answer ✓
    @srihiru

    Your post is to generic.

    Here are some questions that you should answer:

    1. What kind of VPN do you want to implement?
    Do you want to use the zywall device as a VPN gateway (Remote Access "Server Role") for the inbound traffic from Internet to your local network? Inbound traffic means that the network communication is initiated from the Internet (PC, SmartPhone, ...)? This is the most common scenario. But there are also other possibilities too.

    3. What do you mean you "add" the zywall on DMZ? There is the possibility to "add" the zywall to a DMZ, but i don't think that, this is your case. Normally zywall firewalls as Internet gateway protects/controls the traffic to a network segment designed as DMZ.

    Is your zywall firewall the device which initiate the connection to the Internet, using the credentials provided by your ISP? Or is there another firewall/device on your network used as Internet gateway?

    I suppose that your zywall has a connection to the Internet on wan1/wan2 interface. Right?

    In that case, have a look at the zywall web dashboard to find the IP address of the interface
    used for Internet routing (wan1 or wan1_ppp ...). If the IP address is in the range 100.68.0.0,
    it means that your ISP is using CGNAT (Carrier Grande NAT) for clients. If that's the case, you, most probably, cannot use the zywall firewall as a VPN server with the role: "Remote Access (Server Role)". But you can use it as VPN client : role "Remote Access (Client Role)".

    Otherwise you can implement both VPN Connection types: "Remote Access (Server Role)" and "Remote Access (Client Role)".

    So, what do you intend to do and what kind of Internet access do you have for your zywall?

    Regards!
    A.

All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    srihiru said:
    When you add the ZyXEL on DMZ do I need to set nat from the ISP to Zyxel? 
    Not easy to answer your question, because the answer depends on the device provided by the ISP to you.

    When i made available USGs for IPSec and L2TP I never used the DMZ option on the CPE (some even didn't had it) and i create the port forwarding rules for allow the USG to be always reachable from internet connection. Moreover, for L2TP i had to edit a WAN to Zywall rule to allow L2TP traffic to reach the firewall
  • anno_t34
    anno_t34 Posts: 12  Freshman Member
    First Anniversary Friend Collector
    Answer ✓
    @srihiru

    Your post is to generic.

    Here are some questions that you should answer:

    1. What kind of VPN do you want to implement?
    Do you want to use the zywall device as a VPN gateway (Remote Access "Server Role") for the inbound traffic from Internet to your local network? Inbound traffic means that the network communication is initiated from the Internet (PC, SmartPhone, ...)? This is the most common scenario. But there are also other possibilities too.

    3. What do you mean you "add" the zywall on DMZ? There is the possibility to "add" the zywall to a DMZ, but i don't think that, this is your case. Normally zywall firewalls as Internet gateway protects/controls the traffic to a network segment designed as DMZ.

    Is your zywall firewall the device which initiate the connection to the Internet, using the credentials provided by your ISP? Or is there another firewall/device on your network used as Internet gateway?

    I suppose that your zywall has a connection to the Internet on wan1/wan2 interface. Right?

    In that case, have a look at the zywall web dashboard to find the IP address of the interface
    used for Internet routing (wan1 or wan1_ppp ...). If the IP address is in the range 100.68.0.0,
    it means that your ISP is using CGNAT (Carrier Grande NAT) for clients. If that's the case, you, most probably, cannot use the zywall firewall as a VPN server with the role: "Remote Access (Server Role)". But you can use it as VPN client : role "Remote Access (Client Role)".

    Otherwise you can implement both VPN Connection types: "Remote Access (Server Role)" and "Remote Access (Client Role)".

    So, what do you intend to do and what kind of Internet access do you have for your zywall?

    Regards!
    A.

  • Hi , thank you very much i followed few guides but found the perfect one, it was NAT and WAN IP 

    Network Conditions:

    Router WAN IP: 59.124.163.151

    ZyWALL WAN IP: 192.168.10.33


    Now I can connect via VPN but the only problem is I cannot connect to the internet, :( I have access to my local network and to the server, I attached the images of my routing and the service can you help me to tell what I did wrong?

    thank you so much for your support 

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    If USG FLEX 100 is placed behind NAT router, you can follow the guide in the FAQ article to add a NAT rule for L2TP service(IKE, NATT, L2TP-UDP) on the router and allow L2TP service.
    You may also need to create a registry key on Windows client.
  • hello @srihiru

    can you post the guides you used to create your L2TP VPN ?

    Thank you,
    P
  • PeterUK
    PeterUK Posts: 2,651  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    hello @srihiru

    can you post the guides you used to create your L2TP VPN ?

    Thank you,
    P
    searchArticle!viewBlob.action (zyxel.com)

Security Highlight