Nebula L2TP Remote Access VPN - certaines IPs non accessibles

Hi @gedis,

I understand you're encountering an issue with certain IPs being inaccessible via L2TP Remote Access VPN on your Zyxel USG Flex 100 after a factory reset and reprovisioning on Nebula, even though the VPN worked previously. This can indeed be frustrating when basic connectivity is affected.

Here are some steps and considerations to help diagnose and resolve the problem:

• Review VPN Configuration in Nebula: Since you reprovisioned your USG Flex 100 on Nebula, double-check all L2TP VPN settings within the Nebula Control Center. Even if you reconfigured them "exactly the same way," a minor oversight or a change in Nebula's handling of certain parameters after a reset could be the cause. Pay close attention to:

  • Local Policy: Ensure the "Local policy" for your L2TP VPN connection covers the entire LAN subnet (192.168.1.0/24) that you intend for VPN clients to access. If it's too restrictive, some IPs might be unreachable.
  • VPN Client IP Pool: Verify that the IP address pool assigned to VPN clients does not conflict with your LAN subnet or any other active subnets. While you mentioned trying machines that haven't connected to the LAN, a subnet conflict could still cause routing issues for specific IPs.
  • Firewall Rules: Even if you've "tried with no security rules," it's crucial to explicitly confirm that firewall rules permit traffic from the VPN zone to your LAN zone for all necessary services and IP addresses. Ensure that there isn't an implicit deny rule blocking some traffic. If an implicit security policy works for L2TP remote clients but not for IPSec remote clients, it might indicate an issue with enabling IPSec VPN to use VPN in the site-to-site VPN page.
  • NAT Traversal (NAT-T): If your USG Flex 100 is behind another NAT device (e.g., an ISP router), ensure NAT Traversal is correctly configured. Incorrect NAT-T can lead to connection issues.
  • Pre-Shared Key: Verify the L2TP VPN Pre-Shared Key. You can modify it in Nebula under Configure > Firewall > Remote access VPN > L2TP VPN server.

• Firmware Version: Check the firmware version on your USG Flex 100. Sometimes, firmware updates can introduce changes in VPN behavior or require specific configurations. Some users have reported issues with L2TP VPN after certain firmware updates, sometimes requiring adjustments to the "local policy" of Phase 2 IPSec L2TP VPN.

• ARP Cache: While you've already considered ARP cache issues, it's worth noting that if the Zyxel firewall's IPSec VPN does not support proxy ARP for the VPN client's IP address to the LAN, it can cause accessibility problems within the same subnet. One suggested workaround has been to change the IP pool for VPN clients to a different subnet than the LAN.

To assist you further, please provide the following information:

• Device Model and Firmware Version: Please confirm the exact model of your Zyxel USG Flex device and its current firmware version.
• Network Topology Map: A simple diagram showing your network setup, including the USG Flex 100, your LAN (192.168.1.0/24), and how VPN clients connect.

• Screenshots of Nebula L2TP VPN Configuration:

  • Site-wide > Configure > Firewall > Remote access VPN (L2TP VPN server settings).
  • Site-wide > Configure > Firewall > Security policy (any rules related to VPN traffic).

• Enable Zyxel Support Access: Go to Help > Support Request in your Nebula console and enable Zyxel Support Access. This allows our support team to view your cloud environment configuration directly, which significantly shortens troubleshooting time.

• Organization and Site Name: Please provide the name of your Nebula Organization and Site.