|
L2TP VPN on USG 20W Whit WIN7Hi all, sorry for my English i'm italian and i have found the documentation for my firewall only here. I have done everything brano has written in the example Examlpe , but i have more problem to access in the network of the USG 20W with VPN on Windows 7 and IOS If you would i send you some screenshots of my configuration to undestand where i'm wrong. Thank's for your collaboration |
|
rosariok24 1 edit |
My network is with a router with 192.168.1.1/24 The zywall is configured with static ip on WAN 192.168.1.228/24 LAN1 configured 192.168.228.1/24 the port 1701 UDP is already opened! i disabled the firewall to exclude problem with him! i create the 2 object: Range
Public IP
Policy
VPN Connection
|
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2014-May-5 7:51 am
You have a double NAT there ... your main router is NATting your public IP to private subnet 192.168.1.1/24.
You have two options 1) Put your router/modem into bridge mode. This will bring public IP to USG's WAN and everything should working ... this is recommended solution! 2) If you can't put the router/modem into bridge mode you have to forward all required ports on the modem/router to USG (500:UDT, 4500:UDP, 1701:UDP and IP Protocol 50 ... often called VPN-passthrough on routers). If your routermodem has separate firewall you need to open these ports too. |
|
|
NETWORK |
Thank's for your reply Brano, i have mapped the IP of the WAN of the Zywall on the Router ASUS connected on Internet like a DMZ Server, because the problem for NAT is solved, but i try to connect the Windows 7 client connected on the LAN of the First router ASUS with this IP 192.168.1.2/24 in VPN in to the WAN of the zywall 192.168.1.228 for test and not through Internet access... in a nutshell the client and the WAN port of the Zywall are on the same LAN. The situation is explained on the image attachet. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2014-May-5 9:28 am
You still have double NAT there. So called DMZ on home routers is still behind NAT. The best would be put the ASUS into bridge mode, then connect USG, then from USG create LAN1 and LAN2. LAN1 for your regular PCs, LAN2 for those you want to separate i.e. 192.168.1.2 as you have it today. |
|
1 edit |
Ok, but with this configuration i can test the VPN Locally? this configuration is temporally for test in lan the VPN configuration.. but it doesn't work... after the VPN start in LAN i create the NAT policy to comunicate on INTERNET..
I want to connect in VPN the client 192.168.1.2/24 in VPN on Zywall USG on the IP 192.168.1.228/24 for test, after i try to configure to comunicate outwards.. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2014-May-5 8:14 pm
Post your IKE and IPSec logs from USG while trying to connect to VPN. |
|
|
Ipsec Log |
So, this is the only one log IPSEC, IKE log is empty... i think than i don't comunicate with the USG... |
|
rosariok24 |
IPSEC |
This is the only one log insite the USG... the IKE log is empty... i think than i don't comunicate with him!! |
|
rosariok24 |
port nat | service nat | ike log |
I have configured the router in this mode: And this is the IKE log (connection from my iphone with 3G connection)... the IPSEC log is empty |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2014-May-6 10:21 pm
Looks like you have a IKE Phase 1 mismatch. ... double check your settings. |
|