Setup L2TP VPN with ZyXEL USG series

If you are the owner of a ZyXEL USG series firewall, you might as well benefit the L2TP feature, which work seamlessly with Windows,iOS,Android and Linux without extra software needed and still being pretty secure. The caveat is however if you have a large envoirement and many clients that you can’t control, setup can be a cumbersome task, cause there is some manual steps involved.

I’ll cover the firewall setup in this articel and some of the issue’s I came across.

First log in to the firewall, go to configuration, expand VPN -> IPSec VPN
Click the VPN Gateway Tab and click Add

Check Enable and enter a name (“My L2TP GW”)

My Address
Select Interface “WAN1” (Then it should show your WAN IP and Subnet xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy)

Peer Gateway Address
Select Dynamic (As you wont, know where your clients connects from)

Authentication
Pre-Shared Key : Make a PSK for approx 10-12 characters, incl. special signs too, fx MyS3cret!%, this is for Phase 1 of your VPN, you’ll add more security later)

Local ID Type IP
Content : Your WAN IP again

Phase 1 Settings
SA Lifetime 86400
Negotiation Mode : Main
Proposals (you’ll need 2, one is for Windows XP and one is for Windows Vista/7 and above)
1 Encryption 3DES, Authentication SHA1
2 Encryption AES128, Authentication SHA1

Key Group DH2
Check NAT-T
Check Dead Peer Detection

Click OK

Next go VPN Connection tab and click Add

Check Enable and give it a name (“My L2TP Connection”)

VPN Gateway
Select Remote Access (Server Role)
VPN Gateway (“My L2TP GW”)

Policy
Select your WAN IP here, this is important, if you dont have it goto Object – > Address Click Add  Add a HOST with your WAN IP or create a Interface IP

Phase 2 Setting

SA Lifetime 86400
Active Protocol ESP
Encapsulation Transport
Proposal (This time, you just need one)
1. Encryption 3DES, Authentication SHA1

Related Settings
Zone IPSec_VPN (Remember to create your firewall rules based on the Zone you add here)

 

Lastly goto Configuration -> VPN -> L2TP VPN

Enable L2TP over IPSec
Select the VPN Connection you just created (“My L2TP Connection”)
IP Address Pool VPN_IP_POOL (Again here you have to create a Pool of addres’s under Object -> Address Add fx .Subnet 192.168.1.0/24 call it VPN_IP_POOL, it will automaticly use this subnet as DHCP for L2TP connections)
Authentication Default (Here you could setup AD integration)
Allowed User (Create users and or Groups under Object – User/Group)
First DNS Custom Defined (Enter your own DNS server on the Network you’ll connect to)

There you have it, next thing is to setup your L2TP client.

Only things ill mention in here is
Once the VPN Connection is created goto properties and select security, select L2TP/IPSec
Click Advanced settings, here you’ll enter the PSK you created in Phase 1 see above

At the networks tab, you could select properties for IPv4 and choose whether or not to use the Gateway supplied be the remote network. Choose this to go throgh the firewall you are connecting to. For this to work properly, youll have to add a Route, Under Networking -> Routing
Add a route, where all you set is your Source VPN_IP_POOL.

That’s it, now you have a full featured L2TP Gateway.

***UPDATE***

First of all make sure, that your tunnel is actually shut down, you can verify that in SA Monitor, second, what operating system are you using? I have seen som efunny things with Windows XP, where you have to use 3DES and MD5

Depending on your firmware version, the SA monitor should be located under the VPN point.

Crypto map is usually related to the algorythm, 3des/des/SHA etc,

Be sure to check that in both ends once more, and keep in mind that XP ain’t happy about thoose newer algorythms AES/SHA512

 

 

 

Setup guide for iPhone – click here

Leave a Reply

© 2019: Noervig's notes | Easy Theme by: D5 Creation | Powered by: WordPress