Theme

Welcome · log in · join	food

	All Forums		Hot Topics		Gallery

Search similar:

Forums → Equipment Support → Hardware By Brand →

ZyXEL → USG50 L2TP/IPSEC VPN almost working (I think)

uniqs
2858

« USG 20 - NAT multiple LAN IPs to second WAN IP? (VPN Problem) • Zywall 110 and Internet access while VPN'd »

chipconn Premium Member join:2014-07-08 Milwaukee, WI	chipconn Premium Member 2014-Jul-8 4:33 pm USG50 L2TP/IPSEC VPN almost working (I think) hello all, I am really close (I think) to getting my L2TP/IPSEC VPN working. I can connect using the Win7 client. I can't ping or see any computers on the network IPConfig shows: PPP Adapter ConnectToOffice: DHCP Enabled: No Autoconfiguration Enabled: Yes IPv4 Address: 192.168.55.2(Preferred) Subnet Mask: 255.255.255.255 Default Gateway: DNS Servers: 192.168.55.200 NetBIOS over TCPip: Enabled Is this right? Where is this IP coming from? Why is the subnet mask 255.255.255.255? Won't that block the whole subnet? Why isn't there a Gateway listed? Also, if I look in the logs of the USG50, I see is a lot of this error: error IPSEC SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping UDP packet Source:(the Zyxel LAN IP) Destination:(there are a few. None seem to match know IPs) Zyxel LAN IP: 192.168.55.1 Win7 machine's LAN IP: 192.168.1.67 thanks, -John I have a USG50 with 3.30(BDS.5) firmware.
	actions · 2014-Jul-8 4:33 pm ·
Brano I hate Vogons MVM join:2002-06-25 Burlington, ON	Brano MVM 2014-Jul-8 11:59 pm What do you mean by "I can connect using the Win7 client"? Everything else in your post indicates that you actually can't connect. It seems that you desire to create L2TP over IPSec VPN yet you're configuring PPP VPN as per your post.
	actions · 2014-Jul-8 11:59 pm ·
gb5102 join:2003-10-07 Saint Paul, MN	gb5102 to chipconn Member 2014-Jul-9 1:36 am to chipconn just checked- apparently when you do an 'ipconfig' on win7 it labels the l2tp connection as 'PPP adapter xxxx' said by chipconn: Is this right? Where is this IP coming from? Why is the subnet mask 255.255.255.255? Won't that block the whole subnet? Why isn't there a Gateway listed? -the 192.168.55.2 ip should be coming from the 'IP address pool' setting in your USG's L2TP config -255.255.255.255 mask is normal -gateway is normal. if you do a 'route print' you should see Windows sets the default route to be the VPN connection with gateway 'on-link'(by default Windows sends everything thru the tunnel) What do you have set up for policy routes on your USG? Should have 1 route: Incoming:any Destination:{your-l2tp-address-pool-object} Next-hop:VPN Tunnel{your-l2tp-connection-object} And another route(for internet access thru the tunnel): Incoming:Tunnel{your-l2tp-connection-object} Source:{your-l2tp-address-pool-object} Next Hop:Trunk{default_wan_trunk}
	actions · 2014-Jul-9 1:36 am ·
gb5102	gb5102 to chipconn Member 2014-Jul-9 1:39 am to chipconn also I just noticed the IP address assigned to your l2tp client is in the same subnet as the zywall's LAN IP, that won't work, your l2tp_pool needs to be in a different subnet
	actions · 2014-Jul-9 1:39 am ·
chipconn Premium Member join:2014-07-08 Milwaukee, WI	chipconn Premium Member 2014-Jul-9 6:03 pm Hello GB15102 and Brano, You guys ROCK! Brano, thanks for your quick how-to (»L2TP VPN on USG - quick how-to). That's what got me 95% there. GB, I did everything you mentioned and it did the trick with two additions: In Policy Route: said by gb5102: And another route(for internet access thru the tunnel): Incoming:Tunnel{your-l2tp-connection-object} Source:{your-l2tp-address-pool-object} Next Hop:Trunk{default_wan_trunk} - I needed to change SNAT to 'outgoing-interface'. Without this I couldn't browse the internet through the VPN. - In the L2TP VPN settings, I used my server (192.168.55.200) as the 1st DNS server. Allowed me to use names instead of ips. Other things I noticed: - In order to ping my server through the VPN I had to have my internet traffic going through the VPN connector. (I had unchecked "Use default gateway on remote network" in VPN Connector Properties -> Networking tab -> TCP/IPv4 properties -> Advanced. It was driving me nuts to have internet access blocked while troubleshooting. ) - To ping the server name or connect to it in Windows Explorer, you need the FQDN, ie myserver.mydomain.local and \\myserver.mydomain.local respectively. The server name alone doesn't resolve. Thanks for the quick responses! -John
	actions · 2014-Jul-9 6:03 pm ·

Forums → Equipment Support → Hardware By Brand → ZyXEL	« USG 20 - NAT multiple LAN IPs to second WAN IP? (VPN Problem) • Zywall 110 and Internet access while VPN'd »