USG110 IPsec/L2TP VPN using Windows10 Client

MyUSG110
MyUSG110 Posts: 5  Freshman Member
First Comment
edited April 2021 in Security

Hello,

I using a USG 110 unit and installed with the wizzard a L2TP VPN. My USG is behind an "LTE Cube", I forwarded ports 500 and 4500 to the WAN port of the USG. I have no possibility to turn off the "LTE Cube" router or NAT to work only as a modem!

In Windows10 I configured an VPN Client

VPN Type: L2TP/IPsec, Key (same as in USG:) only PAP as suggested in a zyxel YouTube. Connecting the Client results to an L2TP Connection error ... not possible to negotate compatible Parameter with the remote Computer... (translated from German sorry). Wireshark Shows that the communication over port 500 and 4500 was possible, but stops in ISAKMP "Informational". I guess that something with the configuration on Server or Client side is wrong.

Any idea or sample on how to solve this Problem is appreciate.

Thanks in advance, Simon

Comments

  • [Deleted User]
    [Deleted User] Posts: 118  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Dear @MyUSG110
    assuming your provider is not the issue here, i will go into your config.

    L2TP also needs protocol 50 (ESP)
    This is needed for actual data transport on the tunnel.
    As example  see the screenshot showing the default allow WAN to ZYWALL rules


    Second
    I think you should take a look @ the next Kb article.
    http://support.zyxel.eu/Support/30062/30085/en-GB/Article/View/83566/How-do-I-configure-the-ZyWALL-for-a-L2TP-server-behind-NAT

    Because you are also behind NAT, i think you should import the reg key into your windows client.

    Let me now if this helps or not!
    Kind regards
    Mark
  • MyUSG110
    MyUSG110 Posts: 5  Freshman Member
    First Comment

    Hi Mark,

    Thank you for your reponse! I opened the service and in Security Policy, everything you mentioned above is in there. I configured our Windows Server 2008 to offer PPTP and IPSec/L2TP Service just for the sake of testing and it is working from any Windows VPN Client but not from Android. But this might be another issue. So I'm confident that it's not a Provider Problem. As said, Wireshark shows the basic crypto handshake over 500 and 4500 until a certain. My Problem is, that the LTE cube has no logging function. I'm not able to track down if something has been blocked there. I turned off the the LTE Cube Firewall, but this had no effect. Would you suggest more port than 500, 4500 (UDP) to open to get it work with USG110? I'll check your link.

    Kind regards

    Simon

  • MyUSG110
    MyUSG110 Posts: 5  Freshman Member
    First Comment

    Hi Mark,

    I made a simple test and connected the VPN Client directly to WAN1. Now I can connect to the USG110, the Client receives it's dyn IP within the local subnet 192.168.1.170. However I'm not able to ping another Computer in that subnet e.g. 192.168.1.250. What I have not understand is the POLICY column in VPN Connection. According to the help it is the local policy (security policy?) but shows an INTERFAC IP of WAN1 (192.168.0.1). Why? Inside the Add/Edit Screen it should have the Local Policy ("Select the address corresponding to the local Network") and the Remote Policy which I don't have? If I Change the local policy to e.g. 192.168.1.250 the Computer I want connect too, the remote Client can no longer connect to the USG. Can you pls. give me some clarification?

    Thanks Simon

  • ali
    ali Posts: 2  Freshman Member
    First Comment
    hi, I have a ftp server placed on lan2 of usg100, it gets ip from lan2 dhcp and on the other hand we have configured ipsecvpn as well for remote users to get access to ftp server through IPsec.
    the issue is remote user can establish ipsecvpn successfully and also reach to lan2 but unable to access devices attached to lan2
     
    lan2 ip: 10.9.0.1
    lan2 pool: 10.9.0.5-10
    l2tp pool: 10.7.0.1-5

    Kindly help.
  • MyUSG110
    MyUSG110 Posts: 5  Freshman Member
    First Comment

    Hi,

    It's sounds similar to what we have here. As written in my former post, a VPN Connection between the remote Client and the USG110 is possible. However a remote ping or SMB2 for any IP on LAN1 does'nt work!

    Iv'e inserted an Ethernet Tap between USG110.P4 (LAN1) port and a Test-Computer with IP x.x.x.33. Here I can monitor the data flow on that path with Wireshark. What I can see is that the remote client Ping is received at WAN->(VPN)->USG110->LAN1=P4 => x.x.x.33. The USG110 log Shows an incoming ICMP and FORWARD. Next computer x.x.x.33 returns the ICMP reply to the USG110 correctly! However the USG110 does not return this Reply via VPN to the remote client.

    The same is with any other protocol, like SMB2. This means it's not a problem with a Windows Firewall on the local or remote site. The local repsonse is simply not send back via the USG110 to the remote client. I have also no more information found in the USG log. No idea what I could do more.

    Please help

  • [Deleted User]
    [Deleted User] Posts: 118  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Dear Simon

    Can you please answer on my PM message or sent me that packet trace
    ?

    Kind regards
    Mark
  • MyUSG110
    MyUSG110 Posts: 5  Freshman Member
    First Comment

    Mark,

    I could fix my Problem after updating from 4.15 to 4.3.

    Thank you for your support

  • [Deleted User]
    [Deleted User] Posts: 118  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    No problem!

    kind regards
    Mark

Security Highlight