USG60 - VPN ipsec IP

ezekiel74
ezekiel74 Posts: 11  Freshman Member
First Comment Friend Collector
edited April 2021 in Security
Hi all,

I configured an ipsec vpn tunnel on my USG60 and everything works fine.
Now I have a question, when I close VPN I have my original source IP given from my ISP where am I (client side).
My goal is to have the destination IP given from the ISP where my USG60 is (server side).
Is it possible to configure it as explained above? With OpenVPN I can do this on a USG60’s LAN device , but I would like to do it via IPSec directly on the USG60.

Best Regards
eze
«1

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Hi @ezekiel74

    I am not sure if I catch you.

    I understand that you configured an IPsec server for nomad users.

    Obviously, the nomad/remote users are connected to the internet before they establish the vpn tunnel.
    Once they connect, they receive a new ip adress provided by the "VPN" (in most of the cases via DHCP or via RADIUS).

    When the nomad users is disconnected, the "VPN" address is removed.

    I suppose you want to determine the public ip address of the USG60 to establish the VPN.

    That kind of service is called "Dynamic DNS". 

    Once your device is on the internet, it logins into a Dynamic DNS platform, so the user only needs to remember the DNS name to know the ip address of the VPN server. In most of the VPN clients, a name could be configured as a remote server.

    More information about how to configure a zyxel router to use DDNS can be found on:

    https://www.noip.com/support/knowledgebase/setting-ddns-zyxel-router/

    I hope it helps you.

    Enjoy 


  • ezekiel74
    ezekiel74 Posts: 11  Freshman Member
    First Comment Friend Collector
    Hi Alfonso,

    thanks, but it's a little bit different.
    I have aready a ddns configured.

    Suppose I'm travelling (public ip 81.20.139.26) and the USG60 is at home (public IP 153.23.24.58 with ddns configured).
    Currently if I close vpn tunnel and check my ip with showmyip I receive 81.20.139.26, the goal is to present myself to internet with 153.23.24.58. This scenario I already done with OpenVPN, and I would like to do with ipsec directly on USG60.

    Best Regards
    eze




  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Hi @ezekiel74

    According to your scenario:
    While the vpn is up, the showed ip address of your mobile/laptop should be 153.23.24.58.
    But once the vpn. is down ... your ip address will be  81.20.139.26.

    So if I understood you well, you want to configure a nomad IPSec VPN server on the USG60, be cause you want to show "always" the ip address 153.23.24.58

    Am I right?


  • ezekiel74
    ezekiel74 Posts: 11  Freshman Member
    First Comment Friend Collector
    Hi @Alfonso
    yes it's correct
  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Hi @ezekiel74

    I recommend to you l2tp over ipsec.
    Most android & ios phone and windows pc can be configured to establish this kind of vpn without installing any new app/software.

    Here it  is a link which shows how to do it:

    https://support.zyxel.eu/hc/en-us/articles/360001390914-L2TP-configuration-on-a-USG-Firewall-using-the-Windows-built-in-client

    I hope it helps you.

    Enjoy


  • ezekiel74
    ezekiel74 Posts: 11  Freshman Member
    First Comment Friend Collector
    Hi @Alfonso  

    so in this way I'll have my home public ip?

    Best Regards
    eze
  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    ezekiel74 said:
    Hi @Alfonso  

    so in this way I'll have my home public ip?

    Best Regards
    eze
    Yes, i usually use my own vpn.

    My mobile is configured to use my vpn server, and once is connected all flows go via the VPN, so the showed public ip address is the vpn server.

    Regards 
  • ezekiel74
    ezekiel74 Posts: 11  Freshman Member
    First Comment Friend Collector
    Hi @Alfonso

    I'll try with calm, after a couple of attempts I received, from my iPhone, "No Proposal chosen" error, I have to debug it to understand why.

    Thanks a lot for your suggestion.
    I'll keep you in touch

    Best Regards
    eze
  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Hi @ezekiel74

    "No proposal chosen" : your combination of your encryption, hash and dh group is different on both devices.

    As I do not have an iphone, I do not know ipsec iphone capabilities.
    But I suppose that the following configuration should work:
    Encryption: AES
    Hash: SHA1
    DH: 2

    I hope you will get it :)

  • Line2
    Line2 Posts: 40  Freshman Member
    First Answer First Comment Friend Collector First Anniversary
    edited November 2018
    at least these proposals should work for L2TP with IOS and Win10:
    Phase 1: 3DES, SHA1, DH2
    Phase 2: AES256, SHA1, PFS none

Security Highlight