New SSL VPN connection Setup//unable to connect from remote client

dwestman
dwestman Posts: 7
Hi- 
i am trying to setup a vpn connection for a client using a USG Flex 50W (USG20W-VPN) router.  I have run through the configuration steps for a SSL VPN, and downloaded the Secuextender vpn client on a local Windows 10 Pro machine. However, i am unable to connect remotely.  I have installed the latest firmware.  Is there a log file i can attach, and if so where/how to generate log file? 
If SSL VPN is not the correct VPN setup i need, please advise.  The network is a small workgroup with a computer sharing files.  There is no domain/AD.  The remote client just wants to be able to access files remotely via the vpn.  Client will be using a Mac/Os laptop to connect but i wanted to test the vpn configuration first via my windows machine.  I do not have a firewall running locally that would interfere with trying to connect to the vpn router.
«1

All Replies

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Dose the USG have the WAN IP or is behind NAT?

    You may need to allow a firewall rule from WAN to Zywall HTTPS or you can change this port if needed and connect by IP:port


  • dwestman
    dwestman Posts: 7
    The USG has a Wan IP. This is also the address i have been using to try and connect.  It seems to have some progress, i added a the WAN firewall for https, at least now, Iget a prompt stating the connection is untrusted. If i click Yes it disconnects, No it disconnects.

    I created a Self Certificate.  but i am not seeing where i can setup an CA to validate, or add the cert SecuExtender. Please advise?
  • dwestman
    dwestman Posts: 7
    Ive attached a log file from SecuExtender i found on the workstation im trying to connect with.
  • dwestman
    dwestman Posts: 7
    Well it seems i found where to change the cert au for www and i now cannot access the web portal to make changes to the device.  I take it im going to have to reset to defaults? to get access back to the web inteface?
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Hi @dwestman
    Kindly check there is no overlap ip address (example:interface/routing) with Network Extension Local IP.


    If the issue still persists, Could you provide WebGUI Access and test account for us in Private Messages?

    Kevin
  • dwestman
    dwestman Posts: 7
    Thanks Kevin- As I stated prior, I am unable to access the web portal, even from inside the network.  Changing the Cert Au has made the internal website inaccessible.    The local lan ip is 192.168.1.1 address .  Network extension ip/ is set to the the 192.168.200.1 address, however, I've never heard of this configuration.  The ip range i set for my dhcp pool is 192.168.200.10-25   Should this be set to ad different subnet?
    I believe i was finally getting access to the SSL Vpn  however certificate settings need to be modified so that it self authorizes users.  I created a cert, just need to know proper settings to make that final handshake.   However, i'm not opposed to ipsec or L2..  i just know the client will need split tunneling.

    I have been configurating this through a remote connection to a workstation inside the network. I will have to reset the device to defaults unless you can think of another way to regain access to the web portal interface?  Which i physically wont be onsite and able to do until later in the week.

    Quick question:  Can i set a set a mac address mask on the device when setting up a static ip address for the Wan?
  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You don't need to make a certificate unless you want too the default even expired will work clicking yes to the usg20w-vpn_5CE28C60B2B6 should of made a connection.

    Set VPN to another range you want any subnet on the USG and remote PC by SSLVPN to not match.

    You will need to reset the USG if locked out or use console/SSH to disable HTTP to HTTPS and log in by HTTP

    configure terminal

    no ip http secure-server force-redirect


  • dwestman
    dwestman Posts: 7
    I agree PeterUK,
     about the certificate, unfortunately, upon hitting yes to the untrusted network the connection disconnects and loops back to the same status message when trying to reconnect.  
    I designated the VPN dhcp pool to start originally 192.168.20.10-25  the global ip was 192.168.200.1  I then changed the vpn dhcp pool to 192.168.200.10-.25
    while the internal lan dhcp was 192.168.1.1//
    Are you suggesting i should change the ip range to a 10.x.x.x or a 172.x.x.x range instead?  does the global ip have to match in the same range?

    I will have to hard reset the device as i have been trying to configure this through a remote session.  
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    You might login WebGUI after perform the following command
    Router(config)# no ip http secure-server auth-client
    Meanwhile, please check SSLVPN can work .
    Kevin
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    edited May 2022
    Hi @dwestman,
    Thank for your time today, I think the issue is resolved after remote session.
    On the other hands, Please intall the next weekly for fixing SSLVPN issue.
    Please feel free to contact us if you have any assistance.
    Thank you
    Kevin

Security Highlight