L2TP Client NAT Issue
I looked at the forum and I saw a lot of discussion regarding an L2TP server behind NAT, but never an L2TP client, so here's a question.
I have a pair of USG20-VPN setup: one is in a headquarters office, the other is in a remote office. Both are directly no the internet (I use DDNS to obtain names for the two locations), so they are NOT behind NAT.
I have an IPSEC tunnel between the two, so both offices' networks are reachable from within the office networks; all internet bound traffic is routed out of the headquarters office. I wanted users with mobile phones (iOS) to be able to access the corporate network so I configured the headquarters USG20-VPN to support L2TP/IPSEC VPN and it works great as long as the iOS users are on cellular data (and therefore not behind NAT).
As soon as the iOS users are on WiFi somewhere (and, therefore, behind NAT) they can no longer access the headquarters VPN server. Any suggestions?
Again, the server is NOT behind NAT: it is right on the internet with a public address and reachable directly. It is the client that is behind NAT.
If I were able to modify settings on the WiFi router (some of the places the iOS users go to I have control on) is there a way I could configure NAT on the router so the clients could stand up the VPN?
All Replies
-
Hi @Federico
As your description, you already forwarded all of client traffic from branch to headquarter by site to site VPN, but still like to establish L2TP VPN tunnel again.
So you scenario is "Double VPN". And it looks USG doesn't support it.
You still can prevent double VPN situation:
Route branch L2TP client traffic by WAN interface, and L2TP tunnel should be workable.
L2TP Service Port: IKE(500), NATT(4500). ESP(50).
In my test configuration on headquarter, both of VPN gateway setting are with same pre-shared key.
You may have a try on it.
0 -
Hi @Federico
"As soon as the iOS users are on WiFi somewhere (and, therefore, behind NAT) they can no longer access the headquarters VPN server. Any suggestions?"
Do you mean that when your iOS users using wifi behind NAT at somewhere else (not in the HQ or branch office), the mobile device will not be able to access to the HQ office via L2TP??
If so, this issue should not happen since L2TP server is always listening on the same port. Had you seen any connection failure related log on the server site?? Can you share with us?
0
Master Member
Zyxel Employee
Categories
- All Categories
- 397 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
