ATP IPSec VPN
Ally Member
Hello,
I'm currently testing an IPSec VPN on our ATP. It's working correctly when connected outside the company. However, it does not work if we are connected to the internal Wi-Fi and I'm not sure why. The SSL VPN (also Zyxel) that we have been using (not set up by me) works internally. We also have a Site-to-Site VPN (which is IPSec) and that configuration is fairly close to that of the IPSec one. The plan is to allow people to leave the VPN turned on, as some users rove in and out of the building.
Anyway, I'm not sure what information to provide, so please ask and I'll pass along what I can. Quick overview: certificate is installed (as the WAN IP), using Remote Access (Server Role), Gateway is set to our WAN interface, Local Policy is our main LAN subnet, IP pool is separate from all other subnets, DNS servers are set to the main ones (on a different subnet), the Zone is the same as the SSL VPN, and "Allow Traffic Through WAN Zone" is unchecked.
Side question, what is that last option? I looked it up and checked seems to indicate that it will be a Full Tunnel passing all traffic through it. Is that all?
Thanks for your time!
All Replies
-
Hi @NEP,
Could you please provide the VPN event log?
Regarding Full tunnel mode, it means all traffic will be forwarded to the remote VPN gateway, operating as default route concept.
0 -
You likely have VPN gateway to a WAN interface you can set this to Domain Name / IPv4 0.0.0.0 for all interface with local policy 0.0.0.0
0 -
@Zyxel_Cooldia I don't know what the VPN event log is. Looked in View Log and the only Category for VPN is "VPN Dashboard". That doesn't have any information. The only log entry I see is "User user(MAC=) from eap-cfg has logged in/out Device" and only when not on Wi-Fi. Does that mean some logging is turned off? In Log Settings, IKE is disabled but IPSec is set to normal. Thanks for the Full Tunnel clarification, that is what I was thinking.
@PeterUK You may be on to something. The VPN Gateway is set to ge6 (WAN zone) and showing "0.0.0.0, 0.0.0.0" after it. The Local Policy is set to Interface Subnet (specifically that of our LAN). Are you saying that this should be set to 0.0.0.0 somehow? How is that done? Just create an object with 0.0.0.0 and assign it? What does this do exactly? Is it simply defaulting to the firewall for routing when the packets come in?
0 -
Yes object with 0.0.0.0 just mean all and any interface
0 -
Pretty sure I followed what you said. Here is what it looks like now. This does not work without the Wi-Fi off either. The phone simply shows "VPN Connecting…" and a loading spinner.
0 -
You also need to set Domain Name / IPv4 in VPN gateway
0 -
That is where the VPN Gateway "RemoteAccess_Wi" points too. It's the next tab over in the UI. Unless we are talking about different things. The config page looks exactly like what you posted though.
0 -
You should be able to connect from WAN to Zywall and LAN to Zywall now...
Do you have a policy to allow the VPN to Zywall?
You might need to change in VPN gateway Local ID type DNS with content your DNS but in the LAN side have that DNS point to LAN gateway IP
0 -
But it should work with Local ID type IPv4 content 0.0.0.0
0
Zyxel Employee
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 246 Service & License
- 383 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
