How to access local LAN from IPSec VPN tunnel via USG FLEX

ST1
ST1 Posts: 7  Freshman Member
First Comment Friend Collector Third Anniversary
edited September 9 in Security

Hi, i have following issue:

I would like to access local LAN PCs after being successfully connected via IPSec VPN Tunnel, but can reach only the USG under the local IP adress like (192.168.171.1), but no other LAN PCs like (192.168.171.20)

My network route looks as follows:

  • Client PC (Windows) is connected over Zyxel IPSec VPN Client with the USG Flex 100
  • USG Flex has 192.168.171.0/24 LAN1 with directly attached LAN1 PCs
  • Client VPN redirects all the traffic via VPN. VPN connection is established and working. I can surf in inet with public IP of USG. I can also redirect the traffic to other VPN tunnels declared in USG and access remote networks.

But the simplest thing I guessed - just accessing local LAN PCs after having established VPN Connection to USG ist not working. Ping Error message. "Destination Host Unreachable"

Here are some strage things which worked:

  1. I have almost the same VPN tunnel for Mac Clients (which conencts over L2TP OVer IpSec) - and these connections can access LAN servers. I have no idea what is different - where the routing tables of MAC clients is different or L2TP tunnel is treated different.
  2. If i change the settings of Windows Cleints inside Zyxel IPSec VPN Software from 0.0.0.0 remote lan adress to 192.168.171.1 submask of target LAN, then LAN access is working, but as expected only LAN traffic is routed via VPN tunnel. All otehr traffic is not tunneled, whcih is not acceptable for me.

Do you have any ideas if I miss any routing policy rules aor anything else to ensure that my IpSec VPN client on windows can access remote LAN servers of USG?

Please find attached some pcis of my setup for better visualization:

(1) VPN Conenction settings with mode config to provide the client with IP adress in LAN1

(2) Policy Rule for VPN traffic. Next-HOP LAN1 ist not allowed :-(

3). (not working) VPN Client settings to route all traffic via VPN and get config from USG

4). (working) VPN Client settings which can access LAN servers, but route only LAN traffic via USG tunnel :-(

5). here are also some dignostic screenshots of routing. inlcusive working routing entries for VPN tunnel for MACs via L2TP.

Many thanks in advance!

All Replies

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @ST1,

    Change the IP pool for VPN client to another subnet other than 192.168.171.0/24.

    Zyxel firewall IPSec VPN not support proxy arp the IP address of VPN client to lan.

  • ST1
    ST1 Posts: 7  Freshman Member
    First Comment Friend Collector Third Anniversary

    Hi @zyman2008,

    thank you very much for the explanation and your sugestion.

    I've changed IP pool for VPN client from LAN1 to LAN2 subnet and it worked as you've explained. I was able to finally access LAN1 servers via IPSec tunnel "1".

    But.. I lost the posibility to tunnel through and access remote servers via outgoing VPN tunnel "2" from USG to other network, because it uses side-to-side tunnel with local policy set to LAN1 subnet. If I understand it correctly, it means that all incomming traffic from LAN2 will be denied/blocked.

    Do you have any solution for this how to access remote VPN resources, which "expects" client ips in the LAN1 subnet, instead of LAN2 IPs?

    Thank you in advance.

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    edited September 11

    Hi @ST1 ,

    If both the site to site VPN device is Zyxel firewall.

    Then create a policy route to enforce the route from IP of VPN client to the remote site.

    Also, on the remote site create a policy route to enforce remote resources to IP of VPN clients.


    Here an example,

    Site 1

    LAN1: 192.168.171.0/24

    VPN Client IP: 192.168.173.0/24 Note: use subnet not overlap with any LANx subnet

    Policy route from VPN clients to LAN1 of remote site:

    src.: 192.168.173.0/24, dst.: 192.168.10.0/24, next-hop: site-to-site tunnel

    Site 2

    LAN1: 192.168.10.0/24

    Policy route from LAN1 to VPN clients

    src.: 192.168.10.0/24, dst.: 192.168.173.0.24, next-hop: site-to-site tunnel

  • ST1
    ST1 Posts: 7  Freshman Member
    First Comment Friend Collector Third Anniversary

    Hi @zyman2008,

    unfortunaltey, the second VPN site is not a Zywall, it's an external site, which policy is configured to LAN1 and should not be changed.

    Pelse take a look on a network draft:

    Every client need to be able to access

    • Ext VPN (having a valid IP from LAN1 subnet due to ext Policy Config)
    • and(!) additionally to access WinServer in LAN1.

    Everything works great except Windows Clients connected to Zywall via SecureExtender VPN client. They can get IP via Config Mode from LAN1 Subnet and can access ExtVPN.

    But due to not supported proxy arp the IP address of VPN client to lan, as you explained, they can not access WinServer in same LAN1 subnet (but Macs using L2TP VPN can do it)

    Connecting Windows Clients to LAN2 segment, as you proposed, solved the problem with accessing WinServer in LAN1, but they have no chance to ccess ExtVPN due to failed local policy check.

    Do you have any other ideas how to ensure, that all combinations are wokring? Either to ensure that windows clients (which get IP adress in LAN1 assigned) somehow can access WinServer in same LAN1 or assign Windows Clients IPs to LAN2 but use any kind of IP address translation, so that traffic to ExtVPN is changed to IP from LAN1 subnet?

    Or any other creative idea?

    Thank you in advance.

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 12

    Can you be more detailed about your setup where everything is connected drawing IP and such?

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @ST1,

    Find out a way to add proxy arp via CLI.

    Let's get back to your original setting for L2TP/IPSec client.

    VPN client Pool: 192.168.171.50 - 192.168.171.99

    SSH to you firewall and using the following CLI to add proxy arp for IP of VPN clients.

    Router# configure terminal
    Router(config)# interface lan1
    Router(config-if-lan1)# ip proxy-arp 192.168.171.50-192.168.171.99
    Router(config-if-lan1)# ip proxy-arp activate
    Router(config-if-lan1)# exit
    Router(config)# write

  • ST1
    ST1 Posts: 7  Freshman Member
    First Comment Friend Collector Third Anniversary

    Hi @zyman2008,

    thank you for your hep and suggestion. It looks very promising, exactly why I need ..

    I've tried it out, but unfortunately it didn't help :-(

    But in the meanwhile I've tried Shrew Soft VPN Client on Windows machines and it worked like a charm. I would prefer to use Zyxel VPN Client (also due to better usability), but Shrew Soft VPN Client as a workaround is also fine for me.

    Thank you very much for your help.

Security Highlight