USG5120 VPN client without setting internal network can’t access network though L2TP dial-up successfully.

Publication Date:  2012-09-12 Views:  402 Downloads:  0
Issue Description
Customers said L2TP dial-up has been successful, but still can’t access the internal network router.
Alarm Information
Handling Process
By asking we got that the customer hasn’t add routes on client. But they want to come to the same function through relevant operations on LNS. Finally, because the vt port is in the trust domain and the server ip is in the same network segment with device internal network, we can convert the L2TP dial-up segment to internal network’s gateway only through adding a NAT conversion. The configuration is as follows:
sysname USG5100
l2tp enable
ike local-name lns
nat address-group 1
nat address-group 2
interface Virtual-Template1
ppp authentication-mode chap
ip address
remote address pool 1
interface GigabitEthernet0/0/0
ip address
interface GigabitEthernet0/0/1
ip address
ipsec policy policy1
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Virtual-Template1
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
l2tp-group 1
allow l2tp virtual-template 1
tunnel password simple Admin@123
tunnel name lns
local-user test1 password simple Admin@123
local-user test1 service-type ppp
local-user test password cipher +2;R2$>\SHOQ=^Q`MAF4<1!!
local-user test service-type ppp
local-user test level 3
local-user admin password cipher :D84\K7*%0N,YWX*NZ55OA!!
local-user admin service-type web telnet
local-user admin level 3
ip pool 1
ip route-static
nat-policy interzone trust untrust outbound
policy 0
action source-nat
policy source
policy source
address-group 1
nat-policy zone trust
policy 0
action source-nat
policy source
address-group 2
Root Cause
It hasn’t added internal network route in client settings.
We can access the headquarters of internal network in this way, if we do not want add a route set on the client.