Access local LAN with SSL VPN

maurixone
maurixone Posts: 7  Freshman Member
First Comment Second Anniversary
edited April 2021 in Security

Goodmorning everyone

I'm new to the group. I introduce myself, my name is Maurizio from Italy
I have a problem configuring SSL VPN with the zywall 110.
I'll explain my configuration briefly

I have a LAN 192.168.2.0 connected to the zywall which in turn is connected to the WAN to the ADSL network with public IP a.b.c.d.

We have IP SEC site-based VPNs with some customers.

We have configured SSL VPN that assigns 192.168.2.x IP addresses to 192.168.2.y.

In addition there are some customers who only accept traffic from our public ip a.b.c.d.

We have set in the vpn SSL options:

X  Enable Network Extension (Full Tunnel Mode)

X Force all client traffic to enter SSL VPN tunnel (to make sure that the public IP of the client connected in VPN is a.b.c.d)

X NetBIOS broadcast over SSL VPN Tunnel

 The problem is as follows:

Conf 1

in this configuration, SSL clients can not access the 192.168.2.0 lan network.

They access both connected networks site to site and networks that accept only our public ip a.b.c.d.

 Conf 2

In the case where we change the range of the IP addresses of the client vpn for example instead of the range 192.168.2.x to 192.168.2.y we use the range 192.168.3.x to 192.168.3.y, the ssl clients are able to access both the local network and to the network that accept our public address a.b.c.d. but not to the networks in VPN site to site.

 Conf 3

we only setted

X Enable Network Extension (Full Tunnel Mode) and deselecting the Force all client options traffic to enter SSL VPN tunnel and NetBIOS broadcast over SSL VPN Tunnel, SSL clients are no longer connected to the internet with our public IP a.b.c.d but with the IP of their providers, they can access both the remote LAN network and site-to-site networks, but not networks that only accept the connection.

 In this case the problem is that the SSL clients can not route the traffic through the gateway but being on the same network the ip of the remote LAN network is searched locally.

I tried to add a static route in the SSL client but with a negative result.

 Do you have any suggestions for making SSL clients able to access all three networks? or i maked a configuration error?

 I hope I have been clear enough.

Thank you in advance

Maurizio.

Comments

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    maurixone said:

    Goodmorning everyone

    I'm new to the group. I introduce myself, my name is Maurizio from Italy
    I have a problem configuring SSL VPN with the zywall 110.
    I'll explain my configuration briefly

    I have a LAN 192.168.2.0 connected to the zywall which in turn is connected to the WAN to the ADSL network with public IP a.b.c.d.

    We have IP SEC site-based VPNs with some customers.

    We have configured SSL VPN that assigns 192.168.2.x IP addresses to 192.168.2.y.

    In addition there are some customers who only accept traffic from our public ip a.b.c.d.

    Thank you in advance

    Maurizio.

    Hello Maurizio,
    i've also SSL VPN in production (successful). In your information you explain, the SSL-VPN Network is allready existing ?

    L2TP/SSL/IPSEC VPN should have NO overlapping, that mean, you have to configure seperate network segemnts for this services to get successful connected and can use this connectivity.

    In my experiance
    create a Host object with a IP range, that's not existing on the USG so have a dedcated SSL VPN Segment. On your USG you have to configure the SSLVPN Zone like a internal zone to get connected remotily to the required and approved destinations/services.

    Regards and good luck
    Christian


  • maurixone
    maurixone Posts: 7  Freshman Member
    First Comment Second Anniversary
    Hello Christian
    Thanks for answer
    I created the SSL VPN configuration by following this Zyxel video
    Currently I have not conifguraed L2TP VPN, only SSL VPN and IPSEC site to site.
    In the SSL VPN configuration, it has arrived as an SSL_VPN zone.
    However I will try to change the SSL configuration area from SSL_VPN to internal zone.
    Can I still use the same address range as the internal network?
    Thank you very much.
    I will update forum later
    Best Regards
    Maurizio
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Hello @maurixone
    the base configuration to get connected with SSL VPN is correct. and you have seen, the SSL_VPN_POOL is not a defautl IP_Segment at the ZYWALL device as delivered.
    Have you checked after the connection is established to set a test rule like SSL_VPN to any -> blocked and LOG active ?

    without any SSL_VPN to LAN1 you get no connection to devices that are placed in LAN1.

    can you provide your config file from the USG via P.M. (you can delete the users by useing a notepad++ editor, to stay safe with your credentials. I require only the part with your security policies :)

    Regards
    Christian
  • maurixone
    maurixone Posts: 7  Freshman Member
    First Comment Second Anniversary
    Thanks. i sended you PM
    thanks for all
    Maurizio
  • DACataldo
    DACataldo Posts: 11  Freshman Member
    First Comment Fourth Anniversary

    Hi - I am having this same problem. I feel dumb. May I please send over my config file to see what I am missing? I am afraid to add policy entries if it seems that hackers could get in.

    Thank you in advance,

    Dave

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @DACataldo

    You can send the startup-config.conf to me in private message. Thanks!

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • DACataldo
    DACataldo Posts: 11  Freshman Member
    First Comment Fourth Anniversary

    It is sent. Thank you for your time!

Security Highlight