Internet per port via IPSec VPN on usgflex100
Good afternoon!
I set up a tunnel between the VPN server and the office usgflex100.
The connection is established, the tunnel goes up, but now I'm faced with the problem that I don't know how to make usg get the Internet via VPN either on one port or on a specific subnet.
I will be grateful for any advice or guide. Thanks.
P.s. If you connect with Win or Linux directly to the VPN, the Internet works.
I set up a tunnel between the VPN server and the office usgflex100.
The connection is established, the tunnel goes up, but now I'm faced with the problem that I don't know how to make usg get the Internet via VPN either on one port or on a specific subnet.
I will be grateful for any advice or guide. Thanks.
P.s. If you connect with Win or Linux directly to the VPN, the Internet works.
0
All Replies
-
Hi @Stanislav,
You need to know what's VPN mode the VPN server support.
You can refer this thread first,
https://community.zyxel.com/en/discussion/13182/connect-zyxel-as-a-client-to-strongswan-vpn-server#latest
Zyxel firewall does not support behavior as an IPSec VPN client to connect to Express VPN/Nord VPN..., etc.
It only support site to site IPSec or IPSec VPN server.
0 -
Hi @zyman2008 . I have a personal IPSec vpn.
If you need any other information on the vpn server, I can provide it.
0 -
Hi @Stanislav,
What's the local/remote network policy of the tunnel established.
Could you take a GUI screenshot of this tunnel in MONITOR > VPN Monitor > IPSec
What's the the personal IPSec VPN ?
A cloud service ? (what's the name or web site ?)
or build and managed by yourself ? (what's the OS platform and IPSec software package ?)
0 -
@zyman2008I build and administer myself.
Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-1027-oracle x86_64)
Used this script https://github.com/hwdsl2/setup-ipsec-vpn (Libreswan)
0 -
@Stanislav,
OK. That's script can build up Libreswan and setup L2TP/IPSec, IKEv1+XAuth, IKEv2 VPN server.
But you need to add site to site rule and configure iptables rules on your server for Zyxel firewall.
Here what you need to do.
1. Edit /etc/ipsec.conf to modify the leftsubnet=0.0.0.0/0 in the conn rule for Zyxel firewall
conn
...
leftsubnet=0.0.0.0/0
2. Add iptable rule (assume eth0 is the outgoing interface on server)
(1) A forward rule for 192.168.21.0/24 to any
iptables -I FORWARD 8 -s 192.168.21.0/24 -o eth0 -j ACCEPT
(2) A SNAT rule for 192.168.21.0/24 outgoing wan interface of your server to access Internet.
iptables -t nat -I POSTROUTING -s 192.168.21.0/24 -o eth0 -j MASQUERADE
1 -
0
Master Member
Categories
- All Categories
- 164 Beta Program
- 1.7K Nebula
- 86 Nebula Ideas
- 62 Nebula Status and Incidents
- 4.7K Security
- 236 Security Ideas
- 1.1K Switch
- 50 Switch Ideas
- 907 WirelessLAN
- 27 WLAN Ideas
- 5.3K Consumer Product
- 172 Service & License
- 294 News and Release
- 65 Security Advisories
- 14 Education Center
- 911 FAQ
- 399 Nebula FAQ
- 249 Security FAQ
- 90 Switch FAQ
- 100 WirelessLAN FAQ
- 18 Consumer Product FAQ
- 55 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 68 About Community
- 51 Security Highlight
