Zyxel_Charlie Posts: 1,034 
Zyxel Employee
October 2017 edited June 2022 in VPN
The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet.
Topology:
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks.
This example was tested using USG310 (Firmware Version: 4.13) and Android version (Firmware Version: 5.0)
Step
Step 1: Set Up the L2TP VPN Tunnel on the ZyWALL/USG
1. In the ZyWALL/USG, go toCONFIGURATION > Quick Setup > VPN Setup Wizard, use theVPNSettings for L2TP VPN Settingswizard to create aL2TP VPNrule that can be used with the remote Android Mobile Devices. ClickNext.
Quick Setup > VPN Setup Wizard > Welcome
2. Then, configure theRule Nameand setMy Addressto be thewan1interface which is connected to the Internet. Type a securePre-Shared Key(8-32 characters).
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings
3. Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and checkAllow L2TP traffic Through WANto allow traffic from L2TP clients to go to the Internet. ClickNext.
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings)
4. This screen provides a read-only summary of the VPN tunnel. ClickSave.
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary)
5. Now the rule is configured on the ZyWALL/USG. The rule settings appear in theVPN > L2TP VPNscreen. ClickCloseto exit the wizard.
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > WizardCompleted
6. Go toCONFIGURATION > VPN > L2TP VPN > Create new Object > Userto addUser NameandPassword(4-24 characters). Then, setAllowed Userto the newly created object (L2TP_Remote_Users/zyx168 in this example).
CONFIGURATION > VPN > L2TP VPN > Create new Object > User
Configure the L2TP VPN
7. If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. SetIncomingtoTunneland select your L2TP VPN connection. Set theSource Addressto be the L2TP address pool. Set theNext-HopTypetoTrunkand select the appropriate WAN trunk.
CONFIGURATION > Network > Routing > Policy Route
Tagged:
- L2TP VPN
- VPN
srihiru Posts: 6
November 2021
Hi i tried this tuto, never worked, and tried other tutorials too, I didn't found a solution to connect via l2tp, can you pleas help me, I did exactly the way you explained
Zyxel_Jeff Posts: 1,054
Zyxel EmployeeNovember 2021
Hi @srihiru
Can you provide your device config file to us via private message for further investigation?
anno_t34 Posts: 12
Freshman MemberDecember 2021 edited December 2021
Could you provide a USEFUL documentation, instead of spreading the same misleading documentation, like this one.
Just read the first paragraph of this tutorial:
"The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet."
What a nonsense!
Have a look at the picture above. Is the "Networking Pool" on the other side of the tunnel, on the "Android Device"? Really?
The old saying RTFM does apply only if the FM are correct and well written, which unfortunately for zywall manuals, since Zywall 2 if i remember, is not the case.
Regards,
A.Zyxel_Jeff Posts: 1,054
Zyxel EmployeeDecember 2021
Hi @anno_t34
Thanks for your suggestion.
We had corrected this title to “How to configureL2TP VPN with Android Mobile Devices”
You can refer to our latest handbook ofP.242~253.
https://download.zyxel.com/ATP500/handbook/ATP500_ZLD5.10_Handbook.pdf
BTW, "Networking Pool” means the L2TP client's IP address pool.
anno_t34 Posts: 12
Freshman MemberDecember 2021
1. Title "IPSec/L2TP Connection: RemoteClient to Site (zywall Server Role).
2. Enumerate the requirements for implementing the connection.
2.1 : Server Side requirements, includes ISP services.
2.3 : Client Side requirements, includes ISP services.Can you build an IPSec/L2TP VPN Connection from a client device which is behind a firewall, that filters IPSec/L2TP protocols?
Can you build an IPSec/L2TP VPN Connection to a VPN Server which is NAT'ed by the ISP (private NAT or CGNAT, out of your control?
How can you build an IPSec/L2TP VPN connection, if the VPN Server has a dynamic public IP address?
Anyway, establishing an IPSec/L2TP channel per se has no value. What matters is a full case scenario, that describes ALL steps including the implementation of the required firewall security policies, troubleshooting methods, etc.
From the tutorial above, you can get the impression, that configuring a VPN connection is a piece of cake, which is not. Securing one is another story.
I made this picture, that should provide a more realistic view of the landscape. Feel free to correct me, if I'm wrong.
Regards,
A.Zyxel_Jeff Posts: 1,054
Zyxel EmployeeDecember 2021
Hi @anno_t34
Thanks for your suggestion.
We will enhance the contents of the technical document for L2TP behind NAT scenarios in the future.
Freshman Member
Categories
- All Categories
- 383 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 77 Nebula Status and Incidents
- 5.1K Security
- 49 USG FLEX H Series
- 246 Security Ideas
- 1.3K Switch
- 67 Switch Ideas
- 909 WirelessLAN
- 33 WLAN Ideas
- 5.9K Consumer Product
- 328 News and Release
- 135 Success Stories
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 856 Nebula FAQ
- 411 Security FAQ
- 220 Switch FAQ
- 192 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight
