Usg 110 4.25 l2tp traffic blocked after upgrade

Nakyll
Nakyll Posts: 10
First Anniversary First Comment
edited April 2021 in Security

Hello,

if i try to upgrade our usg 110 , all the version before the 4.25 block the traffic frome the l2tp ipsec vpn.


I watched all the log to finde a solution allowing the blocked traffic but no way...


i also allowed the traffic from wan (local remote subnet) to all...

All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    You cannot connect to L2TP IPSec? Or you cannot connect from L2TP Subnet to Lan1?

  • Nakyll
    Nakyll Posts: 10
    First Anniversary First Comment

    Sorry for my bad english!!!


    Tunnel is UP, but i can't connect from l2tp range ip pool to Lan1.

    with the old firmware all is ok. If I upgrade after the versione 4.25 no way to allow traffic

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    There is a way, i can assure it to you. ;)

    I do not have a spare 4.35 device for start from scratch, but i suggest you to double check your setup with this PDF

    and consider than most occasions there are one or two firewall rules missing.

    One from L2TP zone and subnet to LAN1 zone and subnet

    One from LAN1 zone and subnet to L2TP zone and subnet

    Also, as default L2TP subnet do not have access to WAN interface (for connecting to internet via USG device).

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Nakyll,

    The L2TP VPN is able to be working after you follow the guide in the wizard to configure L2TP VPN.

    The L2TP users can access the LAN resource and Internet.

    Here are FAQ for your reference.

    If L2TP VPN is still not working, share your topology and settings such as L2TP VPN, IPSec VPN and policy route with us. 

    How to use the VPN Setup Wizard to create a L2TP VPN on the ZyWALL/USG

    How to configure L2TP on ZyWALL

  • Nakyll
    Nakyll Posts: 10
    First Anniversary First Comment

    Hello,

    my l2tp Work perfectly under firmware versione 4.25 with a radius server and OTP account!

    if I upgrade to new firmware connection goes UP but no traffic in the tunnel!

    (tryed also to bypass the radius server working on locally account)

    https://us.v-cdn.net/6029482/uploads/836/9QG5MSC6FB9X.png There was an error displaying this embed.

    This is the route on 4.25.

    Tryed to make route also from lan1 to tunnel with correct source and destination

    Seems that route of l2tp are totally ignored (i tryed to make also a new l2tp vpn ...no way)


    suggestions?

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Nakyll,

    In your configuration file, the two subnet lan1 and lan2 are overlapped.

    The range of WIZ_VPN_LOCAL for L2TP VPN client pool also overlaps with lan1.

    You need to

    1. Disable lan2.

    2. Modify the range of WIZ_VPN_LOCAL for L2TP VPN client pool. Ex: 10.10.10.1-10.10.10.20.

     

    After ZyWALL110 is upgraded from 4.25 and 4.35, L2TP VPN client is able to ping lan1 and 8.8.8.8 successsfully.

    Note that IP pool for L2TP VPN clients and SSL VPN clients cannot conflict with any WAN/LAN/DMZ/WLAN subnet even if they are not in use.

     

Security Highlight