how-to block ads
USG 50 VPN SERVER blocks/intercepts Cisco VPN CLIENT app
I've been visiting DSLReports for years; always great information. So glad there's this Zyxel forum. I'm loving my brand new USG 50 and finally got a L2TP to Windows 7 with WAN access built after several days of heavy highlighting and dog-earing of at least a hundred pages of printouts of both the manual and configuration guides. All this while while cross referencing Brano's Secure your USG and L2TP VPN on USG - quick how-to posts and Anav's very considered questions and comments. Thank you. I'm not sure if I may link to other posts so I'll refrain.
Since applying Brano's Securing how to:
5) Restrict access to USG web management pages.
I started noticing getting booted off my client side to work Cisco vpn. A quick check of the logs showed that my work Cisco vpn connection needed server port 443 which was being intercepted and dropped by the System>WWW>Admin Service Control rule that I had applied. Delete. I'm figuring I'll change the server and client ports later for admin access.
But now that I have a good build on MY USG 50 VPN server IPSec (as per the log) is dropping ports my work vpn client needs.
I can think of some really hairy solutions but hoping there might be an easier rule I can apply.
I'm using all the defaults I can, after one hard reset I've done as little as possible to build the L2TP. This is a virgin machine except for the three policy rules, two addresses, one DDNS, and of course the PPoE I had to build. Thanks again to all.
Usually when you have an issue with VPN client behind the USG dropping after some time it is because during when VPN is rekeying traffic will be sent from the remote site and get intercepted by the USG.
The fix for this would be to set up port forwarding to the machine behind the USG with the VPN client on it.
If you have to forward all of the ports involved in this VPN you may be stuck, since to use L2TP over IPSec on the USG you need UDP 500,4500. Forwarding those would break your VPN connection to the USG itself.
I'm not sure how the Cisco VPN client works, but you could possibly try forwarding port 443 to the PC with the client to see if that clears up the issue.
I'm fairly sure the Cisco AnyConnect client uses 443 for part of the VPN communications as well as 500,4500 UDP.