Access local LAN with SSL VPN

maurixone · February 2018

Goodmorning everyone

I'm new to the group. I introduce myself, my name is Maurizio from Italy
I have a problem configuring SSL VPN with the zywall 110.
I'll explain my configuration briefly

I have a LAN 192.168.2.0 connected to the zywall which in turn is connected to the WAN to the ADSL network with public IP a.b.c.d.

We have IP SEC site-based VPNs with some customers.

We have configured SSL VPN that assigns 192.168.2.x IP addresses to 192.168.2.y.

In addition there are some customers who only accept traffic from our public ip a.b.c.d.

We have set in the vpn SSL options:

X Enable Network Extension (Full Tunnel Mode)

X Force all client traffic to enter SSL VPN tunnel (to make sure that the public IP of the client connected in VPN is a.b.c.d)

X NetBIOS broadcast over SSL VPN Tunnel

The problem is as follows:

Conf 1

in this configuration, SSL clients can not access the 192.168.2.0 lan network.

They access both connected networks site to site and networks that accept only our public ip a.b.c.d.

Conf 2

In the case where we change the range of the IP addresses of the client vpn for example instead of the range 192.168.2.x to 192.168.2.y we use the range 192.168.3.x to 192.168.3.y, the ssl clients are able to access both the local network and to the network that accept our public address a.b.c.d. but not to the networks in VPN site to site.

Conf 3

we only setted

X Enable Network Extension (Full Tunnel Mode) and deselecting the Force all client options traffic to enter SSL VPN tunnel and NetBIOS broadcast over SSL VPN Tunnel, SSL clients are no longer connected to the internet with our public IP a.b.c.d but with the IP of their providers, they can access both the remote LAN network and site-to-site networks, but not networks that only accept the connection.

In this case the problem is that the SSL clients can not route the traffic through the gateway but being on the same network the ip of the remote LAN network is searched locally.

I tried to add a static route in the SSL client but with a negative result.

Do you have any suggestions for making SSL clients able to access all three networks? or i maked a configuration error?

I hope I have been clear enough.

Thank you in advance

Maurizio.

ChrisGer · February 2018

maurixone said:

Goodmorning everyone

I'm new to the group. I introduce myself, my name is Maurizio from Italy
I have a problem configuring SSL VPN with the zywall 110.
I'll explain my configuration briefly

I have a LAN 192.168.2.0 connected to the zywall which in turn is connected to the WAN to the ADSL network with public IP a.b.c.d.

We have IP SEC site-based VPNs with some customers.

We have configured SSL VPN that assigns 192.168.2.x IP addresses to 192.168.2.y.

In addition there are some customers who only accept traffic from our public ip a.b.c.d.
Thank you in advance
Maurizio.

Hello Maurizio,
i've also SSL VPN in production (successful). In your information you explain, the SSL-VPN Network is allready existing ?

L2TP/SSL/IPSEC VPN should have NO overlapping, that mean, you have to configure seperate network segemnts for this services to get successful connected and can use this connectivity.

In my experiance
create a Host object with a IP range, that's not existing on the USG so have a dedcated SSL VPN Segment. On your USG you have to configure the SSLVPN Zone like a internal zone to get connected remotily to the required and approved destinations/services.

Regards and good luck
Christian

maurixone · February 2018

Hello Christian
Thanks for answer
I created the SSL VPN configuration by following this Zyxel video

https://www.youtube.com/watch?v=7uXHr_rUcXI

Currently I have not conifguraed L2TP VPN, only SSL VPN and IPSEC site to site.

In the SSL VPN configuration, it has arrived as an SSL_VPN zone.

However I will try to change the SSL configuration area from SSL_VPN to internal zone.

Can I still use the same address range as the internal network?

Thank you very much.

I will update forum later
Best Regards
Maurizio

ChrisGer · February 2018

Hello @maurixone
the base configuration to get connected with SSL VPN is correct. and you have seen, the SSL_VPN_POOL is not a defautl IP_Segment at the ZYWALL device as delivered.
Have you checked after the connection is established to set a test rule like SSL_VPN to any -> blocked and LOG active ?

without any SSL_VPN to LAN1 you get no connection to devices that are placed in LAN1.

can you provide your config file from the USG via P.M. (you can delete the users by useing a notepad++ editor, to stay safe with your credentials. I require only the part with your security policies

Regards
Christian

maurixone · February 2018

Thanks. i sended you PM
thanks for all
Maurizio

DACataldo · May 2023

Hi - I am having this same problem. I feel dumb. May I please send over my config file to see what I am missing? I am afraid to add policy entries if it seems that hackers could get in.

Thank you in advance,

Dave