What firewall rules are needed to allow L2TP over IPSEC from Windows 11

Posts: 14  Freshman Member
First Comment
edited November 2023 in Security

Hi

I have a USG60 configured to allow VPN connections from Windows 11 via WAN2. All is fine until I enable the Security Policy Control, i.e. I turn on the firewall. What firewall rules are needed to allow the VPN to connect.

*I did have to create a pair of routing policies to allow me to browse the local LAN and internet which I've attached below.

Route_Policy.png

Thanks

Welcome!

It looks like you're new here. If you want to get involved, click on this button!
Sign In
Register
«13

All Replies

  • Posts: 3,761  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    WAN to Zywall

    UDP 500

    UDP 4500

    UDP 1701

    protocol 50

    VPN zone Ipsec_VPN to Zywall

    UDP 500

    UDP 4500

    UDP 1701

    protocol 50

  • Posts: 14  Freshman Member
    First Comment

    Hi

    Partial success. The VPN now connects, but no traffic can pass through. I'm guessing I need another rule to allow traffic to pass. I've tried the following.

    VPNRule.png
  • Posts: 3,761  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 2023

    So you should be able to ping the LAN over the VPN?

    Are you looking for the VPN to do internet? Or just to LAN?

    Disable them routing rules and make these.

    For LAN

    incoming VPN tunnel

    destination LAN subnet

    next hop auto

    For internet over the VPN below the rule above you need

    incoming VPN tunnel

    next hop WAN

  • Posts: 14  Freshman Member
    First Comment

    Hi

    I'm not able to ping the Zyxel in the current config, or any IP on the LAN.

    I'll have a go of your suggestions above.

  • Posts: 3,761  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    just to add

    For LAN

    incoming VPN tunnel

    destination LAN subnet

    SNAT none

  • Posts: 14  Freshman Member
    First Comment
    edited November 2023

    Hi

    It didn't work. I still can't ping the Zyxel or anything on the LAN.

    I've attached the policy below.

    Policy.png
  • Posts: 3,761  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 2023

    Can you go to maintenance > diagnostic > network tools > PING IPv4 to a device on your LAN if no ping its a firewall on that device thats blocking it

    Also check the zone of the VPN settings is the right one

    and is the IP pool of the VPN not in use by other interfaces?

  • Posts: 14  Freshman Member
    First Comment

    For some reason, when I post the result of the ping, it gets blocked, but not if I post a picture of it.

    ping.png
  • Posts: 14  Freshman Member
    First Comment
    ping2.png
  • Posts: 14  Freshman Member
    First Comment
    ethernets.png

Welcome!

It looks like you're new here. If you want to get involved, click on this button!
Sign In
Register

Welcome!

It looks like you're new here. If you want to get involved, click on this button!
Sign In
Register

Quick Links

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)