Internet per port via IPSec VPN on usgflex100

Good afternoon!
I set up a tunnel between the VPN server and the office usgflex100.
The connection is established, the tunnel goes up, but now I'm faced with the problem that I don't know how to make usg get the Internet via VPN either on one port or on a specific subnet.
I will be grateful for any advice or guide. Thanks.

P.s. If you connect with Win or Linux directly to the VPN, the Internet works.

All Replies

  • zyman2008
    zyman2008 Posts: 225  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Hi @Stanislav,
    You need to know what's VPN mode the VPN server support.

    You can refer this thread first,

    Zyxel firewall does not support behavior as an IPSec VPN client to connect to Express VPN/Nord VPN..., etc. 
    It only support site to site IPSec or IPSec VPN server.

  • Hi @zyman2008 . I have a personal IPSec vpn.
    If you need any other information on the vpn server, I can provide it.

  • zyman2008
    zyman2008 Posts: 225  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Hi @Stanislav,
    What's the local/remote network policy of the tunnel established.
    Could you take a GUI screenshot of this tunnel in  MONITOR > VPN Monitor > IPSec

    What's the the personal IPSec VPN ?
    A cloud service ? (what's the name or web site ?)
    or build and managed by yourself ? (what's the OS platform and IPSec software package ?)

  • @zyman2008
    I build and administer myself.
    Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-1027-oracle x86_64)
    Used this script (Libreswan)

  • zyman2008
    zyman2008 Posts: 225  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    OK. That's script can build up Libreswan and setup L2TP/IPSec, IKEv1+XAuth, IKEv2 VPN server.

    But you need to add site to site rule and configure iptables rules on your server for Zyxel firewall.
    Here what you need to do. 
    1. Edit /etc/ipsec.conf to modify the leftsubnet= in the conn rule for Zyxel firewall
    2. Add iptable rule (assume eth0 is the outgoing interface on server)
    (1) A forward rule for to any
    iptables -I FORWARD 8 -s -o eth0 -j ACCEPT
    (2) A SNAT rule for outgoing wan interface of your server to access Internet.
    iptables -t nat -I POSTROUTING -s -o eth0 -j MASQUERADE

  • @zyman2008
    Thank you very much, I will try.