How-to: L2TP VPN on USG where network behind USG is bridged.
This is not meant to be an exhaustive step by step how-to, I'll only put in the settings that are different to those in Brano's how-to located at the following URL:
»L2TP VPN on USG - quick how-to
This VPN was created for use by an iOS device (iPod/iPad) connecting to a Zyxel USG20W. Specifically it was iOS 7 and USG20W with firmware 3.30 (BDR.1).
If any of the experts on this board see any blinding errors or feel the need to add anything please feel free to make comments below. In the case of errors I will change this how-to accordingly.
This is a VPN where you can connect to your home network from outside of the network and use your device as though you were connected directly from inside the network.
So for those that are not familiar with VPN's; you can go away on holidays, connect to the internet using the hotels connection and then establish a VPN using say an iPod or iPad and it will be just like you were connected from home.
This is good for things like home automation/security systems where the client software is loaded on your iPod/iPad and needs to be on the home network to function. Some of these home automation systems allow users to connect via an intermediate server but they usually charge a yearly fee for this. Using a VPN allows you to connect directly thus avoiding those yearly fees.
So firstly read Brano's quick how-to post and then make these additions which will make it work for an iOS device connecting into a network that is bridged.
When setting up the VPN gateway and VPN connection in your Zyxel the only encryption and authentication you need for an iOS 7 device is 3DES/SHA1, you can remove all the others.
The main difference is the routing rules, specifically the 2nd rule in the list needs to be added because of the local 'General' type bridge. The source 'Bridge' is simply an address object of address type 'Interface Subnet' and the interface set to the bridge:
Below are the firewall rules, you should be able to lock them down even further. The WAN to Zywall rule is one of the default rules that comes preconfigured on the firewall, the relevant services being ESP, IKE and NATT (as per Brano's how-to)
Below is a screen shot of the iPod VPN connection setup where XX.XX.XXX.XX is your WAN IP address, the 'Account' is a user created on the USG20W together with a password, the 'Secret' is the pre-shared key entered into the VPN gateway:
You shouldn't need the Policy Route
Source: Bridge Destination: LAN_L2TP Next Hop Default_L2TP_VPN_Conn
As long as on the Bridge interface you created you set the Interface Type to Internal that routing will be automatically handled for that traffic.
Unless 3.30 broke something else and now you need that route again!
The bridge interface type is 'General' which requires you to set up routes manually. This allows you to use bandwidth management on an outgoing route which is something I needed to do. Perhaps this requirement has changed in latest version of firmware?
If you want to do bandwidth management from the policy route that works fine. And even if you did set the interface to Internal, any policy routes you create would override the direct routes created by the interface.
Most people aren't going to be using bandwidth management though so it's extra steps that aren't doing anything for them.
That makes it useful for a very narrow band of users I guess, I've changed the wording to indicate that its for a 'General' type bridge.