Internet per port via IPSec VPN on usgflex100
Options
Good afternoon!
I set up a tunnel between the VPN server and the office usgflex100.
The connection is established, the tunnel goes up, but now I'm faced with the problem that I don't know how to make usg get the Internet via VPN either on one port or on a specific subnet.
I will be grateful for any advice or guide. Thanks.
P.s. If you connect with Win or Linux directly to the VPN, the Internet works.
I set up a tunnel between the VPN server and the office usgflex100.
The connection is established, the tunnel goes up, but now I'm faced with the problem that I don't know how to make usg get the Internet via VPN either on one port or on a specific subnet.
I will be grateful for any advice or guide. Thanks.
P.s. If you connect with Win or Linux directly to the VPN, the Internet works.
0
All Replies
-
Hi @Stanislav,
You need to know what's VPN mode the VPN server support.
You can refer this thread first,
https://community.zyxel.com/en/discussion/13182/connect-zyxel-as-a-client-to-strongswan-vpn-server#latest
Zyxel firewall does not support behavior as an IPSec VPN client to connect to Express VPN/Nord VPN..., etc.
It only support site to site IPSec or IPSec VPN server.
0 -
Hi @zyman2008 . I have a personal IPSec vpn.
If you need any other information on the vpn server, I can provide it.
0 -
Hi @Stanislav,
What's the local/remote network policy of the tunnel established.
Could you take a GUI screenshot of this tunnel in MONITOR > VPN Monitor > IPSec
What's the the personal IPSec VPN ?
A cloud service ? (what's the name or web site ?)
or build and managed by yourself ? (what's the OS platform and IPSec software package ?)
0 -
@zyman2008
I build and administer myself.
Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-1027-oracle x86_64)
Used this script https://github.com/hwdsl2/setup-ipsec-vpn (Libreswan)
0 -
@Stanislav,
OK. That's script can build up Libreswan and setup L2TP/IPSec, IKEv1+XAuth, IKEv2 VPN server.
But you need to add site to site rule and configure iptables rules on your server for Zyxel firewall.
Here what you need to do.
1. Edit /etc/ipsec.conf to modify the leftsubnet=0.0.0.0/0 in the conn rule for Zyxel firewall
conn
...
leftsubnet=0.0.0.0/0
2. Add iptable rule (assume eth0 is the outgoing interface on server)
(1) A forward rule for 192.168.21.0/24 to any
iptables -I FORWARD 8 -s 192.168.21.0/24 -o eth0 -j ACCEPT
(2) A SNAT rule for 192.168.21.0/24 outgoing wan interface of your server to access Internet.
iptables -t nat -I POSTROUTING -s 192.168.21.0/24 -o eth0 -j MASQUERADE
1 -
0
Categories
- All Categories
- 398 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 83 Nebula Status and Incidents
- 5.2K Security
- 99 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 923 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 212 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.1K FAQ
- 1K Nebula FAQ
- 445 Security FAQ
- 238 Switch FAQ
- 213 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 142 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight