SSL VPN

Ricky
Ricky Posts: 3  Freshman Member
First Comment Fourth Anniversary
edited April 2021 in Security

I have set up SSL VPN and as a user I can connect. However, the client is not getting a IP address from the Zyxel 110. the Firewall LAN1 IP scope is 192.168.11.1 - .254 , with a DHCP range of 192.168.11.10 - .254. When a SSL VPN client connects it shows connected, how the IP address given is 192.168.11.0 .... and nothing from the DHCP range. I am using SSL VPN client v4.0.3.0 and the firmware on the Firewall is v.4.33 (AAAA.0).

All Replies

  • Ricky
    Ricky Posts: 3  Freshman Member
    First Comment Fourth Anniversary
    Disregard, I figured out the issue. The SSL VPN requires an assigned IP pool that is not on the local LAN1 scope.   I created a Virtual Scope under LAN1 and then added that as a RANGE in Object/Addresses.  once that was done I connected back the the SSLVPN and was handed out an IP within the Virtual Scope and life was good. 
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Ricky  

    The VPN (SSL VPN/L2TP VPN) pool can’t overlap to other interfaces, otherwise the traffic unable pass into VPN tunnel successfully.

    It’s good hard you found the reason of it. :+1: 

  • DACataldo
    DACataldo Posts: 11  Freshman Member
    First Comment Fourth Anniversary
    edited June 2023

    I have a similar issue where the vpn connects and i get 192.168.201.100 and the server is 192.168.200.1 but I keep getting an ACCESS BLOCK in the log when 201.100 tries to talk to 200.1. What is the issue, please?

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 885  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @DACataldo ,

    Greeting Forum, the default Network Extension Local IP is also 192.168.200.1. It should not overlap with your local subnet.

    Please kindly change IP from 192.168.200.1 to anther one. Thanks

  • DACataldo
    DACataldo Posts: 11  Freshman Member
    First Comment Fourth Anniversary

    Thank you for your reply. My global setting looks like yours. My subnet is 201 not 200 in the VPN config - do you mean like this?

    Thank you so much!

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 885  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @DACataldo ,

    Yes , I means replace the global extension IP from 192.168.200.1 to 192.168.X.X which is not used in your subnet.
    Address 192.168.200.1 is the same as your DNS server

  • DACataldo
    DACataldo Posts: 11  Freshman Member
    First Comment Fourth Anniversary
    edited June 2023

    Thank you for helping. Now it gives me access to the WINS server (10.10.1.14) and also the internet. Still blocking everything else on the 10.10.1.0/24 network though. They get blocked by the default rule. What rule am I missing? Perhaps I should pay for Zycel advice? What is the correct Zyxel phone number that I am supposed to call to pay for someone to fix this for me? Thank you.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 885  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @DACataldo ,

    Please kindly check :

    1)You have correct Zone for SSL VPN settings

    2)You have default policy From SSLVPN zone to any

    If the issue persist we can have remote session at 08:00~17:00 (UTC+8) . Thank you

  • DACataldo
    DACataldo Posts: 11  Freshman Member
    First Comment Fourth Anniversary
    edited June 2023

    Thank you again for your response! Here is my SSL VPN policy and below that are my security policies:

    It seems to have access to a couple IP addresses on 10.10.1.0/24 and no access to most of that network. And I am using SecuExtender 4.0.4.0 - should I be using 4.0.3.0?

    Thank you again!

    Dave

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 885  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @DACataldo ,

    Could you provide remote GUI access for us.

    I sent you my public IP by private message. You may only allow those for access.

Security Highlight