IPSec VPN on H Series Loopback/Reflection/Harpinning....

Painted_Turtle
Painted_Turtle Posts: 11  Freshman Member
Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula
in USG FLEX H Series

How to establish L2TP tunnel from LAN side — Zyxel Community
https://community.zyxel.com/en/discussion/1583/how-to-establish-l2tp-tunnel-from-lan-side

Does the above still work on the USG FLEX H Series for IPSec VPNs? Or do we need a different command?

Our customer's prior VPN solutions supported this, and it was real handy for testing the VPN on site, when we didn't have easy access to another public IP. It helped to catch common problems, such as fat fingered passwords and the like.

All Replies

  • PeterUK
    PeterUK Posts: 3,726  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You can do the following

    Screenshot 2025-04-07 044214.png

    So that your domain out side points to the FLEX WAN and make the domain under DNS point to your LAN gateway

  • Painted_Turtle
    Painted_Turtle Posts: 11  Freshman Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula

    Thanks for the suggested work-around.

    If I understand correctly, you are suggesting that we do the following:

    Configure the H series IPSec VPN to use a FQDN.
    Configure DNS such that:
    • External devices get the WAN IP for the router in response to looking up that FQDN.
    • Local devices on the LAN get the LAN IP for the router in response to looking up that FQDN.
    This requires either a Split Horizon configuration or two different DNS servers. Will test, but I expect it should work. (I don't think the built-in Zyxel DNS supports a split horizon configuration. But maybe I'm wrong?)

    This isn't quite as simple as the approach that we used to be able to do on the older Zyxel products. But hopefully it will work.

  • PeterUK
    PeterUK Posts: 3,726  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 7

    FQDN set on FLEX to point to LAN IP will not change the IP of the same FQDN someone externally pulls because anyone externally does not pull the FQDN from FLEX.

    With a DDNS setup to like No-IP it be there DNS servers you use to get the WAN IP externally even with the same DDNS set for the DNS domain points to like 192.168.255.235 on FLEX but externally you pull a WAN IP

  • Painted_Turtle
    Painted_Turtle Posts: 11  Freshman Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula

    Thank you very much again.

    One detail that I am still a bit confused about is with respect to your screen shot showing the FQDN in the “NAT Traversal” field. If our H series isn't behind another router doing NAT, does it still go in this field, or does it go in the “Domain Name / IP” field above?

  • PeterUK
    PeterUK Posts: 3,726  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 8

    Yes this “NAT Traversal” is a bit misleading its meant to fix the problem if the router has like 192.168.1.2 on interface like WAN where the download VPN config puts 192.168.1.2 which does not connect to WAN IP which is wrong so really the “NAT Traversal” puts the WAN IP/FQDN in you VPN download config to connect to VPN

    The Domain Name / IP set to 0.0.0.0 means VPN server is on all interfaces and if you left NAT Traversal empty the VPN config will have the VPN connect to 0.0.0.0 which would not work.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)