Zyxel 700H Firmware 1.36 Patch 0, Error IPSec remote access VPN

Options
YanShadowGT
YanShadowGT Posts: 19 image  Freshman Member
First Comment Friend Collector Fifth Anniversary
edited November 12 in USG FLEX H Series

Hello,

Are there any updates or changes I need to make if I already have an IPSec remote access VPN configured? The problem is that after updating from version V1.35 (ABZI.2) to V1.36 (ABZI.0), the VPN isn't working correctly. The VPN connects to the Zyxel 700h using the Windows 11 VPN option, but if I ping an internal IP address, it doesn't work. If I revert to the previous firmware version, V1.35, everything works correctly, as I can ping and connect. Thank you for your help.

Regards, SY

Accepted Solution

All Replies

  • PeterUK
    PeterUK Posts: 4,228 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited November 12 Answer ✓

    Is tunnel connection up?

    The iusse could be the same as this.

    Flex 100H VPN SecuExtender clients connects fine; NO ACCESS to remote network devices — Zyxel Community

    If you have routeing rules like LAN to WAN you need to Exclude the remote access VPN IP pool in Destination Address so that USG routes the VPN IP pool back down the VPN tunnel

  • YanShadowGT
    YanShadowGT Posts: 19 image  Freshman Member
    First Comment Friend Collector Fifth Anniversary

    Hi @PeterUK,
    You're right, it's the same problem. My question is, is it temporary? I'm worried this might create a vulnerability. Will Zyxel be aware of it and fix it?, since it's working correctly up until this new firmware version, v1.36?

    Thanks for your help.
    Regards,
    SY

  • PeterUK
    PeterUK Posts: 4,228 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited November 12

    There no vulnerability caused by this I think the routeing rules are more strict in that they don't look at the IP pool of remote VPN to go down tunnel first and so the routeing rule with Destination any is applied strictly.

    But what I want to see is next hop remote VPN tunnel in the routing rules that way you can do

    rule 1
    incoming LAN
    Destination Address 192.168.50.0/24
    next hop remote VPN tunnel
    SNAT none

    rule2
    incoming LAN
    Destination Address any
    next hop WAN
    SNAT outgoing interface

  • Zyxel_Tina
    Zyxel_Tina Posts: 401 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 50 Answers First Comment

    Hi @YanShadowGT,

    Thank you for your feedback. The issue you observed is due to a change in the packet flow processing order in firmware v1.36, which may affect your policy routing. To assist you better, could you please send us a private message with remote access or diagnostic file?

    • For providing remote access, please refer to this FAQ for setup instructions.
    • For collecting your diagnostic file, please refer to this FAQ.

    Zyxel Tina

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)