USG5120 VPN client without setting internal network can’t access network though L2TP dial-up successfully.

Publication Date:  2012-09-12 Views:  348 Downloads:  0
Issue Description
Customers said L2TP dial-up has been successful, but still can’t access the internal network router.
Alarm Information
None.
Handling Process
By asking we got that the customer hasn’t add routes on client. But they want to come to the same function through relevant operations on LNS. Finally, because the vt port is in the trust domain and the server ip is in the same network segment with device internal network, we can convert the L2TP dial-up segment to internal network’s gateway only through adding a NAT conversion. The configuration is as follows:
sysname USG5100
#
l2tp enable
#
ike local-name lns
#
nat address-group 1 1.1.1.1 1.1.1.1
nat address-group 2 192.168.0.1 192.168.0.1
#
interface Virtual-Template1
ppp authentication-mode chap
ip address 192.168.3.1 255.255.255.0
remote address pool 1
#
interface GigabitEthernet0/0/0
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 1.1.1.1 255.255.255.128
ipsec policy policy1
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Virtual-Template1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
l2tp-group 1
allow l2tp virtual-template 1
tunnel password simple Admin@123
tunnel name lns
#
aaa
local-user test1 password simple Admin@123
local-user test1 service-type ppp
local-user test password cipher +2;R2$>\SHOQ=^Q`MAF4<1!!
local-user test service-type ppp
local-user test level 3
local-user admin password cipher :D84\K7*%0N,YWX*NZ55OA!!
local-user admin service-type web telnet
local-user admin level 3
ip pool 1 192.168.3.2 192.168.3.254
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
nat-policy interzone trust untrust outbound
policy 0
action source-nat
policy source 192.168.0.0 0.0.0.255
policy source 192.168.3.0 0.0.0.255
address-group 1
#
nat-policy zone trust
policy 0
action source-nat
policy source 192.168.3.0 0.0.0.255
address-group 2
Root Cause
It hasn’t added internal network route in client settings.
Suggestions
We can access the headquarters of internal network in this way, if we do not want add a route set on the client.

END