Sébastien  Freshman Member

Comments

  • When trying to troubleshoot this issue I found something interesting related to the configuration I made on this USG Flex 100. Wan IP address is part of the 192.168.1.0/24 subnet, fixed IP 192.168.1.200 (provider box). As Wan IP address is part of the same subnet as lan1 predefined in the router, I switched all the ports…
    in [USG Flex 100] No NetBIOS over SSL VPN Comment by Sébastien September 2020
  • Hello Lukas, what do the logs say on the USG ? This is where you should begin your investigation because problems could look the same but be very different. Could you post the logs when you try to connect the tunnel ? There is also a trick to allow Windows client to connect to an IPSec tunnel behind a NAT-T, please look…
    in USG40 L2TP IPSEC VPN : PHASE 2 LOCAL POLICY MISMATCH Comment by Sébastien August 2020
  • Ok understood ! Even if my certificate is issued by my CA or any other CA, the device will issue a new certificate for each website visited and therefore this certificate will not be trusted by my CA because it was issued by the device. Thanks for your help !
    in Certificate for Flex 100 SSL inspection Comment by Sébastien July 2020
  • So no way to use a certifiate issued by my own CA ? Using the default certificate requires to deploy the USG's CA to all computers on the network, and browsers like Firefox or Chrome have their own trusted CAs lists... As I said previously, having a certificate issued by my own domain CA will help because my CA is trusted…
    in Certificate for Flex 100 SSL inspection Comment by Sébastien July 2020
  • Thank you PeterUK that was the answer, I have created a Policy Route from L2TP Zone to SNAT on the outgoing interface and bingo Internet is there. Works perfectly for my smartphone beside SSL VPN. =)
    in USG40 L2TP IPSEC VPN : PHASE 2 LOCAL POLICY MISMATCH Comment by Sébastien June 2020
  • Yes it is ! I found the solution : I set up the local policy to an IP object, type HOST, value 0.0.0.0. My L2TP is now working for local network, but no access to Internet when VPN conencted despite the security rules allow traffic between the IP Sec zone and any other zones. So a ping to 10.0.0.0/24 subnet is OK but not…
    in USG40 L2TP IPSEC VPN : PHASE 2 LOCAL POLICY MISMATCH Comment by Sébastien May 2020
  • Thanks for your reply. Yes it is behind a NAT and your article is interesting. If I read it correctly the local policy for phase 2 should be the WAN public IP, not the USG40 WAN IP. This is a problem for my scenario because the public IP is dynamic. To bypass this, I create a FQDN object pointing to my VSDL router but I…
    in USG40 L2TP IPSEC VPN : PHASE 2 LOCAL POLICY MISMATCH Comment by Sébastien May 2020
  • Perfect, thank you ! :-)
    in Geofencing on USG40 Comment by Sébastien May 2020
  • Is there a way to mark the post as "resolved" ?
    in Geofencing on USG40 Comment by Sébastien May 2020
  • Hi Zyxel_Charlie ! I've got it now, this is a huge confusion mistake on my side. I thought I had to click the "Add" button on the Geo IP tab, not the Address tab. This is my mistake and that's why I didn't see the "Geography" address type. Your screen caps helped me a lot. Thanks, Sebastien
    in Geofencing on USG40 Comment by Sébastien May 2020
Default Avatar
EnglishTiếng ViệtРусскийไทย中文(台灣)