USG20(remote) No lan access over L2TP from my home network

CcHuMi
CcHuMi Posts: 16  Freshman Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
Hi all,

first of all i am proud to be here.
This is my question.

I must configure a l2tp vpn for a client (remote vpn) with a USG20-W.
No problem at all i can connect to their VPN from everywhere.

But i have a problem accessing remote local network.

HOME(192.168.1.0) ->BBOX-> INTERNET -> LIVEBOX (192.168.1.1) -> USG20(192.168.1.2)

In this configuration i can't access remote LAN but vpn connect fine.

But in this configuration it works. Why ?

HOME(192.168.2.0) ->BBOX-> INTERNET -> LIVEBOX (192.168.1.1) -> USG20(192.168.1.2)

As you can see if i change my home network to anything other than 192.168.1.0. Here 192.168.2.0.
I can access remote lan.
I test it from iphone and osx (all traffic throught vpn).


Does i must enable or configure something else ?

Thanks

Comments

  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    HOME(192.168.1.0) ->BBOX-> INTERNET -> LIVEBOX (192.168.1.1) -> USG20(192.168.1.2)


    The IP subnet of your Home is overlap with LAN of USG20.
    So that the vpn client on Home network will not go into the tunnel to LAN of USG20.

    To change either LAN subnet of USG20 or your Home subnet to another subnet (ex. 192.168.10.0/255.255.255.0) can solve the issue.
  • CcHuMi
    CcHuMi Posts: 16  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Hi thanks for your answer.
    This is what i have understand but i cannot do that because i am not the network administrator, they just asking me to configure the vpn. So I can't change the network subnet on the remote side.
    I can change subnet on my home side but the VPN is needed for VPN nomade users so they could encounter the same problem in another place they connect.

    Did SNAT could be useful in this configuration ?
  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    It's not help with SNAT. The problem is the behavior of client's OS.
    In general, direct connect subnet priority is higher than others.
    The client will send out traffic to local(192.168.1.0) instead go into the tunnel.

    DNAT could be one of the solution. Mapped the USG20 LAN to another subnet.
    And the client connect to the mapped IP address instead of 192.168.1.0 subnet.

    It works for IPSec VPN. But not sure if that works for L2TP/IPSec.

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    After some test, it works with DNAT in L2TP/IPSec tunnel.
    Here the steps,
    1.Create an address object of subnet to map to USG lan (192.168.1.0/24)
       For example, I select 192.168.10.0/24 as the mapped address.
       Go to Object > Address, add the address object.
       

    2.Configure NAT in VPN connection rule of L2TP/IPsec
       Go to VPN > IPSec VPN > VPN Connection page. Edit "WIZ_L2TP_VPN" rule(if the rule was
       setup via VPN wizard).
       (1) Click "Show Advenced Settings" on top of the pop-up window
       (2) On the bottom of the page, enable "Destination NAT" of Inbound Traffic.
       (3) Add DNAT rule,
            Original IP: select address object created in step 1.
            Mapped IP: select "LAN1_SUBNET" object


    3. Dial-up VPN from remote client and access the LAN of USG20.
        Access the 192.168.10.x IP address instead of the original USG20 LAN IP address 192.168.0.x
        

Security Highlight