connection vpn L2TP on local network work, but not by internet, dmz is OK on modem to USG

ptibonhomme
ptibonhomme Posts: 12
in Security
Hello,
i try little to little to configure my vpn installation.
today, my vpn work on local network, so i test ton enter in my vpn by other connection internet, but i have errors : 



I don't understand why there are errors between phase 1 and 2 when it works locally

Thanks for your help 
«1

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @ptibonhomme
    You can make sure "My Address" setting of VPN phase 1 is configured as "0.0.0.0".

    And also enter CLI command to unlock VPN incoming restriction. After applying configuration, reboot is required.
    Router(config)# vpn-interface-restriction deactivate

  • ptibonhomme
    ptibonhomme Posts: 12
    Thanks for reply, i changer setting on the USG20, but the problem is same, the vpn is working for acces by lan but not by internet, always the same error on IKE log.
    little question : in the method configuration client to site by L2TP on the zyxel site , no say to open restrisction on the cli of USG20.
  • ptibonhomme
    ptibonhomme Posts: 12
    for the " my adresse " of phase 1 ( 0.0.0.0 ) i must have the same adresse on phase 2 ? or i keep " interface ip" ?
  • PeterUK
    PeterUK Posts: 3,507  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2022
    Set both phase 1 local policy and phase 2 Domain Name / IPv4 to 0.0.0.0

    Check your firewall rules have from WAN to Zywall and from zone      IPSec_VPN to Zywall with services ESP,IKE,L2TP-UDP and NATT 
  • ptibonhomme
    ptibonhomme Posts: 12
    hello , I tried with your settings  : still no connection
    i show you my settings
    Phase 1 :

    phase 2


    the rules :smile:


    the log :smile:


    i confirm , with this settings , the client VPN is connected if i am on a local network,     the problem appears when i try to connect by internet .
    thanks for you help, if you have an idea of the resolution
  • PeterUK
    PeterUK Posts: 3,507  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Is your WAN by Ethernet without PPP? As that might be the issue.

    Are you able will changes to get the VPN to work over the internet at all?

    Maybe the phase 1 and phase 2 have the encryption/authentication set to high?


  • ptibonhomme
    ptibonhomme Posts: 12
    Hello, i modified setting for connection :


    and i think the encryption is not to high 




  • PeterUK
    PeterUK Posts: 3,507  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    ….or maybe the encryption/authentication is not high enough?

    For phase 1 in order

    3DES SHA 1

    AES128 SHA1

    key group DH2

    For phase 2 in order

    AES256 SHA1

    AES128 SHA1

    3DES SHA1

    PFS none


  • ptibonhomme
    ptibonhomme Posts: 12
    i changed settings but not possible to connect , i show you the log

  • PeterUK
    PeterUK Posts: 3,507  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Does the USG have the WAN IP and not behind NAT? 

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)