|
If the settings are not changed manually after the upgrade, the VPN connection is established, but it will not be accessed to the internal network (office network).
This setting change is necessary regardless of whether it is route-based IPsec or policy-based IPsec.
To make L2TP over IPsec work after upgrading.
Add a static route for the IP range configured in VPN L2TP.
For example, if the L2TP setting in the previous version's root VDOM is:
# config vpn l2tp
set eip 192.168.0.254
set sip 192.168.0.1
set status enable
set usrgrp "L2tpusergroup"
end
Add a static route after upgrading.
# config router static
edit 1
set dst 192.168.0.0 255.255.255.0
set device "l2t.root"
next
end
It is necessary to make the following changes to policies related to VPN:
1) Keep the policy from 'tunnel_name' to 'external_interface' as it is:
# config firewall policy
edit <id>
set srcintf " tunnel_name "
set dstintf " external_interface "
set action accept
set srcaddr "all"
set dstaddr "all"
set service "L2TP"
set nat enable
end
This policy will let clients connect to the L2TP IPsec tunnel.
2) To allow the traffic, the rest policies should have srcintf 'l2t.root'.
# config firewall policy
edit <id>
set srcintf "l2t.root" <----- Should be L2TP.
set dstintf "outgoing_interface" <----- Could be external/internal – wan/lan.
set action accept
set srcaddr "<>"
set dstaddr "<>"
set service "ALL"
set nat enable
end
l2t.root refers to the interface which is defined for the L2TP IPsec tunnel inside the VDOM (dedicated).
This will be used in the policy as the source interface, so the traffic coming from the same will be checked and judged according to the policy created.
|
