USG Flex 100 L2TP VPN problem with shared folders

Hi everyone,

I have a working L2TP VPN Remote Access on a USG Flex 100 installed in a office. Connecting a PC with hotspot from my phone I simulate an external connection and it connects. When I try to navigate to the server in the office through IP it doesn't respond.

What I'm looking for is:

PC1 uses the VPN to the office and then start working from home in the shared folders that are in the server. But if he needs to use internet for browsing or whatever, he's gonna use his/her public IP.

I managed to make it communicate with the server but I have to activate from Windows the flag "Use default gateway on remote network" (or something along those lines, I'm translating it from Italian), but if I flag that setting then the PC won't be able to navigate in the network anymore (don't know why).

These are the screenshots of my VPN (didn't want to make it way longer with screenshots):

LAN is 10.0.0.0/24, the server (10.0.0.2) is in the LAN. Behind the Firewall there is a router (192.168.0.1) that goes directly to the internet.

I don't have any Policy Route or Static Route, nor NAT.

If you need other screenshots or info just let me know.

Thank you all.

Accepted Solution

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 885  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    edited March 2023 Answer ✓

    Hi @Rgnvdjfgdfg ,

    Greeting Forum, That is split tunnel setting on Windows.

    For your inquirement, unselect "Use default gateway on remote network" is correct.

    But in order to reach 10.0.0.0/24 . You have to add route manually.

    Please find the powershell command. I've tested it work fine.

    Add-VpnConnectionRoute -ConnectionName "Your VPN profile name" -DestinationPrefix "10.0.0.0/24"

    ("route add" command must know client VPN address at first. It will be changed everytime and it is difficult for end users')

    Thank you

All Replies

  • PeterUK
    PeterUK Posts: 3,390  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2023

    What the IP of PC1? Is it on 10.? or even 192.168.51.? before connecting to the VPN

  • PeterUK
    PeterUK Posts: 3,390  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    SO some testing here...its a limitation of the client VPN that can't send 10. IP down the VPN when "Use default gateway on remote network" is unchecked.

    With MS a way round this is to set LAN USG with 10.0.0.1 with subnet 255.255.255.128 and the VPN pool 10.0.0.128 subnet 255.255.255.128

  • I thought about it too, but I saw many times when setting it up that i couldn't use as VPN pool any subnet already in use.. I'm going to try it right now and see if it works, thank you.

  • Rgnvdjfgdfg
    Rgnvdjfgdfg Posts: 12
    First Comment Friend Collector
    edited March 2023

    I did some testing:

    Can't set it up as you said because we have some PC at the office with IP like 10.0.0.140 so can't use Subnet as 255.255.255.128 . I should use 255.255.255.32 to not have problems but seems like the USG doesn't accept it. Tried to set 255.255.254.0 in the LAN and VPN pool from 10.0.1.0 to 10.0.1.100 but still nothing.. Looking from ipconfig in PC1 I saw that it gets 255.255.255.255 as subnet and gateway is blank, could that be the cause of it? Or is there a client I could use instead of using the VPN function of Windows?

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 885  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    edited March 2023 Answer ✓

    Hi @Rgnvdjfgdfg ,

    Greeting Forum, That is split tunnel setting on Windows.

    For your inquirement, unselect "Use default gateway on remote network" is correct.

    But in order to reach 10.0.0.0/24 . You have to add route manually.

    Please find the powershell command. I've tested it work fine.

    Add-VpnConnectionRoute -ConnectionName "Your VPN profile name" -DestinationPrefix "10.0.0.0/24"

    ("route add" command must know client VPN address at first. It will be changed everytime and it is difficult for end users')

    Thank you

  • Hi,

    I used the command you just posted:

    Add-VpnConnectionRoute -ConnectionName "Your VPN profile name" -DestinationPrefix "10.0.0.0/24"

    but it didn't give any response. I looked for something about it around the network, and I found the same command with the add of "-PassThru" at the end. Tried it and now it seems to work just fine.

    Thanks a lot

  • PeterUK
    PeterUK Posts: 3,390  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    nice command😎

Security Highlight