How do I have to configure L2TP to connect via L2TP over IPSec from integrated VPN-Client in MacOS?

zzkwozz
zzkwozz Posts: 2
First Comment
edited April 2021 in Security
Dear community,

I'm new in this forum, but I think together we get my problem fixed...
I've bought a new USG20W-VPN, this is connected to our company-LAN.
We have some employees, that need to connect from iPhone, iPad and their home MacOS-Devices to the company-network.

I've tried several configurations, this one was my last try - but sadly without success: http://onesecurity.zyxel.com/img/uploads/zywall_l2tp_vpn_setup.pdf

I also tried the SecuExtender-Software. But also with that software, no success.
I don't want to force our employees to setup some software on their devices. So the best way would be to simply use the integrated macOS VPN-Client.

Actually I don't care about which VPN-Type get's me to work... I just have noticed, that the "Cisco VPN" works very well with AVM-FritzBoxes.

I hope, dear community, that my problem is understandable (my english is a little bad).
If not, feel free to ask ? 
My Firmware-Version is: 4.33(ABAR.0)

Thank you very much,
zzkwozz

All Replies

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Hi zzkwozz, for Apple MacOS , no need for external bloatware..... 

    1) non MDM mac (99%) ...  use the stock standard  System Preferences / Network Preferences/  UI as:
    1. click on "+" in left side bar to add interface
    2. Interface : "VPN"
    3. VPN Type:  "L2TP over IPsec"
    4. Service Mame "any customised name
    5. "Create"
    6. select the amber (yellow) VPN interface in ethernet system prefs / network UI.... 
    7. then...  "Server Address" = the.externalhostname.com where the VPN is 
    8. Account Name = " you account on the server that validates your VPN" .. this coulee be /Users/ account of an LDAP account where the password is authenticated. If you use LDAP you will ned to have the USG20VPN call an LDAP server with PAP { windows 10 etc| (no encryption)... Else for testing make sure the account has a user/password in the zyxel USG20VPN (Objects: Users...)
    9. click Authentication Settings : 
    10. Authentication Settings: password for the user account 
    11. Authentication Settings: Machine Authentication: ** pre shared key*** or the certificate for SSL , click OK
    12. Network Prefs / VPN/ Advanced /Options  : untick the stuff you don't want //  For a Full tunnel leave "send all traffic over VPN" ticked on.
    13. Apply 
    14. connect

    Really simple...

    2) for corporate or company MDM managed macs and devices....for MDM Payload, use MacOS Server Profile Manager. set up a VPN payload for specific account user or group if thats your persuasion .. send them the profile ... the for then install,  click and go (iOS and Macs ) .. really simple works great! with Zyxel)


    You don't need any zyxel or other  bloatware .. use the native L2TP client in  Apple MAcOS .

    { FWIW, for WIndoze 10,  use the native Windows Built in L2TP client .. works great as well for the zyxel USG ... }}

    Tip: Make sure your usg20vpn has the VPN gateway and Vpn connection hashing / encryption etc correct else it work work for ipads/ iPhones... Plenty of stuff on this in the forums. 

    HTH

    warwick
    Hong Kong 


  • zzkwozz
    zzkwozz Posts: 2
    First Comment
    Thanks for your answer! 
    I've checked my settings again, but the connection can't be etablished. The error message is:
    The L2TP-VPN-Server does not answer. Try again to connect. If the problem persists, check the settings or contact your administrator.

    Well... I am the administrator ?

    If I ping the server, the IP is perfectly resolved and the Router answers.

    If I try to connect over VPN Tracker (just for testing) the error tells me (PPP).
    Do you have any more ideas?
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @zzkwozz
    Regarding to this case,
    can I know is the USG20W-VPN behind the AVM-FritzBoxes? If yes, and FritzBoxes is not bridge mode, you need to add NAT rule on FritzBoxes. The SOP as your reference.
    ZyWALL for a L2TP server behind NAT
    Also, when you test VPN scenario,  the L2TP client(Iphone or PC) cannot establish VPN connection via SSID which USG20W-VPN spreads.
    Charlie

Security Highlight