L2TP Client NAT Issue

FedericoFederico Member Posts: 1
edited March 27, 2020 11:06AM in ZyWALL USG Series

I looked at the forum and I saw a lot of discussion regarding an L2TP server behind NAT, but never an L2TP client, so here's a question.

I have a pair of USG20-VPN setup: one is in a headquarters office, the other is in a remote office. Both are directly no the internet (I use DDNS to obtain names for the two locations), so they are NOT behind NAT.

I have an IPSEC tunnel between the two, so both offices' networks are reachable from within the office networks; all internet bound traffic is routed out of the headquarters office. I wanted users with mobile phones (iOS) to be able to access the corporate network so I configured the headquarters USG20-VPN to support L2TP/IPSEC VPN and it works great as long as the iOS users are on cellular data (and therefore not behind NAT).

As soon as the iOS users are on WiFi somewhere (and, therefore, behind NAT) they can no longer access the headquarters VPN server. Any suggestions?

Again, the server is NOT behind NAT: it is right on the internet with a public address and reachable directly. It is the client that is behind NAT.

If I were able to modify settings on the WiFi router (some of the places the iOS users go to I have control on) is there a way I could configure NAT on the router so the clients could stand up the VPN?


All Replies

  • CHSCHS Member, SecuReporterBeta Posts: 40  Freshman Member

    Hi @Federico

    As your description, you already forwarded all of client traffic from branch to headquarter by site to site VPN, but still like to establish L2TP VPN tunnel again.

    So you scenario is "Double VPN". And it looks USG doesn't support it.

    You still can prevent double VPN situation:

    Route branch L2TP client traffic by WAN interface, and L2TP tunnel should be workable.

    L2TP Service Port: IKE(500), NATT(4500). ESP(50).

    In my test configuration on headquarter, both of VPN gateway setting are with same pre-shared key.

    You may have a try on it.

  • Zyxel_VicZyxel_Vic Zyxel Official Agent Posts: 134  mod

    Hi @Federico

    "As soon as the iOS users are on WiFi somewhere (and, therefore, behind NAT) they can no longer access the headquarters VPN server. Any suggestions?"

    Do you mean that when your iOS users using wifi behind NAT at somewhere else (not in the HQ or branch office), the mobile device will not be able to access to the HQ office via L2TP??

    If so, this issue should not happen since L2TP server is always listening on the same port. Had you seen any connection failure related log on the server site?? Can you share with us?

Sign In to comment.