After the client accesses the Internet through NAT and the L2TP VPN dial-up is successful, the IP address obtained through dial-up is 172.16.168.2/24, and the local IP address of the client is 192.168.1.25. In this case, the client cannot ping through the server (192.168.0.50) or other network segments of the intranet, but the server can access the Internet.
1. If the ping packet to the server carries the IP address of the WAN interface on the USG5120, the ping succeeds. This indicates that the route configuration on the USG5120 is correct.
2. Run the netstat -r command on the PC to view the routing table. The command output shows that the packets to the LNS server are transmitted based on the local default route. Check the VPN dial-up client configuration on the local host. It is found that Access the Internet after the connection is successful is selected. However, the route to the intranet of the LNS is not set in the route setting. To solve this problem, add the route to the intranet of the LNS.
3. After step 2 is performed, the PC on the LNS side 192.168.10.0/24 can be accessed, but the server 192.168.0.50 cannot be accessed.
4. Check the USG5120's routing table. It is found that a route to the destination network segment 192.168.1.0/24 points to an intranet device connecting to the USG5120. Therefore, the route is unreachable. Inform the customer of the problem and the solution: Change the local IP address of the PC or the route of the USG5120, so that the USG5120 has a route to the client. After the customer changes the route, the client can access the server.
1. Packet filtering does not work well between the security zone where the VT interface resides and the security zone where the server resides.
2. The server does not have a route to the client, or the route of the client cannot reach the intranet of the LNS.
3. A route conflict occurs.
After the VPN dial-up is successful, if the intranet of the LNS cannot be accessed, the route setting is probably incorrect.