ZyXEL → L2TP VPN on USG - quick how-to

I don't really mind this default setting. It would have been worse if the split tunneling was enabled by default without option to turn it off.
This way I can "safely" browse internet from my phone using my home connection without ISP being able to watch

Of course having option to enable / disable would be nice.
I have to check of there are any 3rd party VPN clients for android.

I thought android was a third party

Yeah, if split tunneling were enabled by default that would be worse.

.mht file updated.

Umm, what kind rule i need set so i can ping/access vpn clients on lan

vpn clients can ping on lan pc's and access lan pc's but not other way..

Should be just matter of enabling ping response on your VPN client PC. Enable respond to ping and open appropriate firewall if applicable (i.e. on windows is ping typically blocked)

Hmm now it works, somehow firewall does not like vpn...

Weird my android device i can ping on lan but not in vpn

I have looked my logs, should i be worrying or is this normal?

No idea what these are.
Are you using XAUTH?

Those are not my connections, i use Pre-shared Key on ipsec

If someone trying to get in, is vpn easy to hack in when using l2tp/ipsec ?

Is there way to tell if security has compromised?

Are the source ip's known? If so not a problem, if not then it could be roadwarrior client that is not configure correctly or its somebody that tries to bruteforce your vpn. Then its down to how secure your password is and that they are able to guess encryptionscheme etc.

Also your device is the src ip or the dst ip in this log?

The msg shown, I have not used a VPN device for ages, seems to me to indicate that the info about the remote end is using the wrong settings in the identification of the endpoints.

Source ip is my wan1 Ip, and Destination is who is trying to connect from that ip..

I have domain name it's ip is to Wan1 so i think they trying to connect it or it's just random..

What i did look those ip's who trying to connect is not from this country.. ;P

How long should i use same password before i change user/vpn pre-shared key?

And how long should Pre-shared key and users's password?

- atm using minimal 8 character password, is that enought?

8 no
64 best
Would not do anything less than around 20 with randomly generate upper lower case, numbers and letters

hi Brano! Thanks for the excellent howto. I've found quite a few on the net, including ones from studerus, zyxel sweden and others - but this is the only one that included firewall rules.

Unfortunately, I don't get it to work. Must say I am trying with apple devices instead of with Android, but I do not believe the problem is there. The connect over VPN seems to work immediately, and the Zywall USG 50 I have also reports that I have successfully logged in. But that is it. It seems no traffic is routed from the iPhone/Ipads to the LAN and back. Trying to access devices in my LAN via their internal webserver doesn't work over VPN, and neither does access my fileserver using SMB or RDP.

My feeling is that something is wrong in the firewall config, but I have no idea what. I've posted firewall rules & logfile entries below. Willing to post other info as well if that helps, but don't want to pollute with a really big post now.

»www.zyxel.se/upload/doc/ ··· aper.pdf

That doesnt work?

No it doesn't. It's largely similar to what brano posted but does not contain firewall rules. And it speaks of a policy rule to allow Internet access over the VPN tunnel using the zywall's WAN connection. From what I understand from the howto, it should work without. Whichever way that is, it should affect whether or not I am able to access the Internet or not. And I can't access a thing.

Hi,

is there way to limit access what country or ip pool who can access on vpn?

I do get those random vpn connections..

You could create firewall rules but that's more pain than usefull.

Just create strong pre-shared key and ignore the port scans.

I hope that 20 key pre-shared key is enough.

20 is a decent minimum. Greater than 15 and random with U, l case numbers and symbols.

Randomly generate upper lower case, numbers and letters, + user's password done also same way ;o

As an update to the above: I just checked on my Apple devices, and find they connect to 10.64.64.64 as an IP address. Strange, as that is not my WAN IP. Any idea to whether this is normal?

Quick question - I am able to get things working with the example here (and in the Zyxel doc). The examples always use a separate subnet for L2TP connections, which I'm sure is best practices, but would L2TP work if I have the connections use, say, LAN1?

The reason why I'm asking is that the only way I can get things to work on my Macbook (Lion) is if I have all my traffic through the VPN tunnel. I suspect that I might have to manually add a route to push LAN1 packets through my L2TP_POOL address on my laptop, whereas if I was already on a LAN1 address, the subnetting makes it work automagically.

I guess I could try it, but I'm afraid of breaking it after my glitch and lost configuration from a few weeks ago. Better ask first than be sorry!

Brano!
Than you very much for this great how-to. Its the best I found, now that I am searching a week to help me get my USG 20W ZDL 3.0 work with L2tp.
Anyway I am somehow too stupid to get it right. It would be great if you can give me one further hint.
1. I keyed in the whole configuration as you described. Including you firewall rules, and all objects.
2. A. With the build in OSX 10.7.3 VPN Client: I get

12.04.12 07:57:51.432 racoon: IKE Packet: receive success. (Information message).
12.04.12 07:57:54.435 racoon: IKE Packet: transmit success. (Phase1 Retransmit).
12.04.12 07:57:54.458 racoon: IKE Packet: receive success. (Information message).
12.04.12 07:57:57.461 racoon: IKE Packet: transmit success. (Phase1 Retransmit).
12.04.12 07:57:57.482 racoon: IKE Packet: receive success. (Information message).
12.04.12 07:58:09.493 racoon: IKE Packet: transmit success. (Phase1 Retransmit).
12.04.12 07:58:09.514 racoon: IKE Packet: receive success. (Information message).
12.04.12 07:58:12.000 kernel: Validation failed, dataSuffix:
12.04.12 07:58:12.000 kernel: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12.04.12 07:58:12.000 kernel: vnode_validate_compressed_file_Type4 error: 22
12.04.12 07:58:12.000 kernel: Validation failed, dataSuffix:
12.04.12 07:58:12.000 kernel: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12.04.12 07:58:12.000 kernel: vnode_validate_compressed_file_Type4 error: 22
12.04.12 07:58:18.215 pppd: IPSec connection failed

B. With the ipsecuritas »www.lobotomo.com/product ··· curitas/ Client I get a similar error: Authentication failed

C. With the iPhone iOS 5.1 it times out.

On the USG 20W it is always the same:
IKE - Process is trying 3 times.
It shows the cookie pairs =x012345678/x012345678
Then it says "Authentication failed" probably due to mismatch in shared secret.

What I did: I tried different pre-shared keys - with/without numbers and then HEX: 0x12345678 etc.
No success - always the same errors
I checked the encryption, DH-group, Hash-types
- no success.
I cannot believe I do not manage to get Phase1 running :-(

Should I reflash the firmware of the USG?
Any hint is more than welcome. Thanx

Unfortunately I don't have OSX or iOS to test this with so hopefully someone else with OSX experience can pitch in.
From what I'm seeing is that you indeed seem to have Pre-shared key mismatch. ... check it again on both sides.

Thank you for the quick response - I cross my fingers, hope for the best and will keep digging into that matter.

I've followed this guide to a T on a USG 20 with the new 3.0 firmware which allows for L2TP.

I am getting the error message of

SPI: 0x0 SEQ 0x0 No rule found, Dropping packet [count=xx].

I can sign on fine, and I get an IP within the subnet I chose, but from there it does nothing. I cannot ping any of the servers, nor can I browse out to the internet.

Brano I have an IMAC at home, and would like to test to see if I can connect to you over ssl vpn.
Are you up to the idea.........

I solved my own issue. The remote network and my local network were both on the 192.168.1.0/24 network. This was causing funny issues with routes.

I logged in from a MiFi which was the 192.168.0.0/24 network and all was well.

Thanks for the tutorial!

Regarding L2TP over ipsec for the MAC.
One of the steps I have seen is to ensure its at the top of the services running ..... Network tab sprocket symbol at the bottom to open it up. (speaking about the mac os x part)