Problems with "non-default WAN IP address" and domain name in VPN gateway setting.

Kv3
Kv3 Posts: 18  Freshman Member
First Comment Friend Collector Seventh Anniversary
in Security

Hi all,
I have a Zyxel USG FLEX 500.
I have public IP addresses in the range 8.14.19.210/255.255.255.240, the default public IP address of the USG is 8.14.19.210.

How to properly set up VPN on a "non-default IP address"? What I have described below works for me, but is it correct?

If I want to set up VPN so that clients from the Internet connect to the IP address 8.14.19.215 (vpn2.contoso.com), I have to set:
1/ In the VPN gateway settings /Gateway settings / domain Name/IPV4 I set 8.14.19.215 (Set all using the wizard).
2/ In NAT, set up a virtual server that redirects at least one service External IP 8.14.19.215 to, for example, the LAN interface IP. (if I don't set it up, I can't connect to the Windows VPN client with the IP address 8.14.19.215 or ping the address).

I have one more question:

I would like to have the domain name vpn2.contoso.com instead of the IP address 8.14.19.215. Even if I enter it when creating in the wizard, I can't connect with the Windows VPN client.

When trying to connect, the log shows:
The cookie pair is : 0xa94fdda7ea5cf7c4 / 0x635d24b58ea075a6
Receiving IKEv2 request
The cookie pair is : 0xa94fdda7ea5cf7c4 / 0x635d24b58ea075a6
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][VID][VID][VID][VID]
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA256 PRF, 256 bit ECP; ).
The cookie pair is : 0x635d24b58ea075a6 / 0xa94fdda7ea5cf7c4
[SA] : No proposal chosen
The cookie pair is : 0x635d24b58ea075a6 / 0xa94fdda7ea5cf7c4
IKE SA [] is disconnected

I have vpn.contoso.com -> 8.14.19.215 set in DNS / Address/PTR record.
Windows VPN client is installed from files created by the wizard.

Can you please advise me how to set up VPN properly?

Accepted Solution

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,635  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited August 6 Answer ✓

    Hi @Kv3

    Sorry, the FAQ you reference has some wrong content. You still need the virtual interface on your WAN for the VPN service or the services connect to the firewall. Only the services that bypass the firewall, like NAT/Virtual server, don't need to create the virtual interface for the additional IP address. We will correct the FAQ.

    Zyxel Melen


All Replies

  • PeterUK
    PeterUK Posts: 3,946  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 4

    I don't get why you have to do a NAT, set up a virtual server? But maybe I might know...

    We need to know how this public IP addresses in the range 8.14.19.210/255.255.255.240 is being done

    So disable the NAT and VPN rules and ping to your IP 8.14.19.215 from like GRC https://www.grc.com/x/ne.dll?bh0bkyd2 when you do a port scan like 80 you should see a ICMP if you packet capture the WAN from 4.79.142.206 if not a ARP saying who has 8.14.19.215.

    If your seeing ICMP that means the ISP is sending all traffic of your subnet to 8.14.19.210 WAN MAC

    If your seeing ARP from your ISP that means the ISP is wanting a MAC for IP 8.14.19.215 at your FLEX

    I'm guessing the second and there are some ways to go about this the first is use Virtual interface on your WAN interface with 8.14.19.215/255.255.255.240 this means your ISP will ARP for that IP get a reply and then send traffic to it. The other is use a switch upstream and use two WAN interfaces for 8.14.19.210 and 8.14.19.215.

    I'm guessing this is for a Remote Access (Server Role)? Pre-Shared Key ? Or Certificate real or self sign?

    If Pre-Shared Key I know you just use Domain Name / IPv4 and put in the IP 8.14.19.215 with Local ID type IPv4 0.0.0.0 and local policy 0.0.0.0 then the windows VPN client can connect by vpn.contoso.com.

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,635  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Kv3

    Do you mean you want the firewall to have multiple IP address on WAN interface to allows the remote clients to connect VPN via .215?

    Zyxel Melen


  • Kv3
    Kv3 Posts: 18  Freshman Member
    First Comment Friend Collector Seventh Anniversary

    Thank you PeterUK for your reaction.
    I am currently testing the VPN settings on the USG FLEX 500, which I have on my desk, so it is not directly connected to the Internet.
    I have a laptop with the IP address 8.14.19.222 connected to its WAN port, which I use to test the connection to the USG firewall, as a VPN client, ping sender, TCP client, and so on.
    I have set up logging of all security policies and other events on the USG.
    If I deactivate the NAT rule with the external address set to 8.14.19.215, I do not find an attempt to ping from 8.14.19.222 to 8.14.19.215 in the log, nor an attempt to connect to the VPN. I only see an arp packet with a query. The ARP packet with the response is missing, even though the VPN gateway has the IP address set to 8.14.19.215, which is why I created this NAT rule. I know that there is a possibility to create a virtual interface, but according to the instructions in https://support.zyxel.eu/hc/en-us/articles/4416140227858-USG-FLEX-ATP-VPN-Series-Using-Virtual-Interfaces, VPN can be set up without it. So I would like to know if anyone has tried setting up VPN this way and if I forgot to set something up.

  • Kv3
    Kv3 Posts: 18  Freshman Member
    First Comment Friend Collector Seventh Anniversary
    edited August 5

    Hi Zyxel_Melen
    Yes, that's what I want.
    I'm trying to set it up according to https://support.zyxel.eu/hc/en-us/articles/4416140227858-USG-FLEX-ATP-VPN-Series-Using-Virtual-Interfaces.
    However, if I don't create a virtual interface on the WAN or NAT rule, the USG ignores traffic to its IP address 8.14.19.215.

  • PeterUK
    PeterUK Posts: 3,946  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So not a real test vs what your ISP may or may not they may route your subnet to 8.14.19.210 which your laptop being a device does not do.

  • Kv3
    Kv3 Posts: 18  Freshman Member
    First Comment Friend Collector Seventh Anniversary

    Hi PeterUK

    No, it's not a real test of our ISP, it's a test of the USG's capabilities. However, I'll be replacing the existing Zywall with this new USG in the near future, so I'm trying to transfer the existing Zywall settings and improve them.

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,635  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited August 6 Answer ✓

    Hi @Kv3

    Sorry, the FAQ you reference has some wrong content. You still need the virtual interface on your WAN for the VPN service or the services connect to the firewall. Only the services that bypass the firewall, like NAT/Virtual server, don't need to create the virtual interface for the additional IP address. We will correct the FAQ.

    Zyxel Melen


  • Zyxel_Melen
    Zyxel_Melen Posts: 3,635  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Update:

    The FAQ https://support.zyxel.eu/hc/en-us/articles/4416140227858-USG-FLEX-ATP-VPN-Series-Using-Virtual-Interfaces has been edited.

    Zyxel Melen


Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)