USG40 - VPN Traffic VPN2Internet/VPN2LAN and back

IWAT
IWAT Posts: 13  Freshman Member
First Comment
in Security

Hi,
I set up a IKE VPN with my USG40. The VPN establishing works well, but i don't get any internet or LAN access. In the Logs it looks like the traffic goes through VPN2any, but nothing comes back, but i doesn't see any block in the Log.
What could cause thath error?

Br

VPNConnection.jpg
VPNGateway.jpg
VPNLog.jpg
VPNSecurityPolicy1.jpg
VPNSecurityPolicy2.jpg


All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,404  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @IWAT,

    Please send the startup-config.conf to me in private message. Thanks!

    Untitled Image

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • IWAT
    IWAT Posts: 13  Freshman Member
    First Comment

    Hi Emily

    Thanks for you help, but the Startup config contains my whole network with PW.
    I would prefer to send you some print screens instead.

    Br Iwat

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,404  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @IWAT,

    We will need the whold startup-config.conf to check if all setting are correctly configured. Before sending the configuration file to me, you can remove this line from the configuration file.

    "username admin encrypted-password xxxxxx user-type admin"

    Untitled Image

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • PeterUK
    PeterUK Posts: 3,503  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited February 2024

    Your WAN1 being a 192.168.x.x is no need to hide but when clients get 192.168.x.x over the VPN is not conflict with other subnets?

    You may need to SNAT VPN traffic out the WAN by routeing rule unless the router upstream of USG40 does static route for the VPN clients that get 192.168.x.x

  • IWAT
    IWAT Posts: 13  Freshman Member
    First Comment

    Hi Peter

    The DHCP from the USG is 192.168.2.20 - 192.168.2.200. The VPN gets usually a 192.168.60.xx address, therefore it shouldn't get any conflict. To test it i changed the VPN Adress to 192.168.2.25x, but the error is the same.

    Br Ivo

  • PeterUK
    PeterUK Posts: 3,503  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited February 2024

    Keep VPN clients on another subnet to not conflict

    Change Local policy to 0.0.0.0

    Make routing rule

    incoming VPN tunnel
    next hop WAN
    SNAT outgoing-interface

    Policy Control
    IPSec_VPN to WAN
    and IPSec_VPN to LAN1

    note that access to a PC on LAN1 may have a firewall blocking you

  • IWAT
    IWAT Posts: 13  Freshman Member
    First Comment

    I have added the Routing rule, the Policy Control has already been created.
    But it is still not working.

    VPN_Policy_Route.jpg
    VPN_Policy_VPN2LAN.jpg
    VPN_Policy_VPN2WAN.jpg

  • IWAT
    IWAT Posts: 13  Freshman Member
    First Comment

    I have no idea why, but it works now…

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)