Legacy VPN - Configure IKEv1 SecuExtender IPSec Client-To-Site VPN

 In this guide, we will show you how to set up this specific scenario, using the SecuExtender ZyWall IPSec VPN Client with Legacy USG series by configuring the firewall (phase 1 & phase 2) and the SecuExtender (Perpetual) version.

 

For more description please see the video:

 

Walkthrough Steps
Please note: All the following steps are referring only to IKEv1! If you're using USG FLEX / ATP, please check this article.

1. VPN Gateway (Phase1)

2.Configuring the ZyXEL IPsec VPN Client

3.Notes

 

1. VPN Gateway (Phase 1):

1. Log in to the unit by entering its IP address and the credentials for an admin account (by default, the username is “admin”, the password is “1234”)
mceclip0.png

2. Add a new gateway under

Configuration > VPN > IPSec VPN > VPN Gateway

Edit the following settings:
“Show Advanced Settings”, Tick “Enable”, type in the desired name, choose the desired WAN interface as “My Address", tick Dynamic Address for multiple IPs, enter a Pre Shared key.

mceclip1.png

 

3. In this tutorial, we leave the Phase 1 settings like proposals by default, but please adjust them to your security preferences. Then change from “Negotiation Mode” to “Main”.

mceclip2.png

Click “OK” to apply the changes done.

 

VPN Connection (Phase 2):

1. Navigate to the “VPN Connection” tab and add a new connection

Configuration > VPN > IPSec VPN > VPN Connection

Edit the following settings:
“Show Advanced Settings”, Tick “Enable”, type in the desired name, Set the “Application Scenario” to “Remote Access (Server Role”) and choose the previously created VPN Gateway

mceclip3.png

 

2. For the “Local Policy”, choose the subnet on your USG to which the VPN clients are supposed to have access to. Choose your desired Proposals in the “Phase 2 Settings” and click “OK” (remind to secure as much as possible)

mceclip4.png

 

2.  Configuring the ZyWall IPSec VPN client:

1.  You can find the most recent client here

2. Please start the software, define the ports in the “IKEv1 Parameters” (IKE Port = 500, NAT-T-Port=4500)

client_to_site.PNG

 

3. In the “Ikev1Gateway”, type in the IP of the USGs WAN interface your VPN Gateway is listening on and enter the pre-shared key. Make sure that the proposals are matching to the ones you defined in your VPN Gateway on your USG

client_to_site1.PNG

 

4. Now configure the VPN Tunnel: Leave the “VPN Client address” as 0.0.0.0 or enter an IP address, which does not match a network on the USG locally, enter the subnet address you have defined as the local policy in your USGs VPN connection and make sure the proposals are matching with the VPN connections proposals

client_to_site2.PNG

 

Now you should be able to open the VPN tunnel by right-clicking the VPN tunnel at the left and choose “Open tunnel”. A green desktop notification in the bottom right corner should confirm the successfully established VPN connection.

tunnel.PNG
Keep in mind that your WAN-to-ZyWall firewall rule should allow the services ESP, IKE, and NATT!

To learn more details about the VPN settings and algorithms you can visit:
http://www.zyxel-tech.de/previews/zyw70w362wm0c0/h_vpn_rules_edit_adv.html

To learn how to set up an L2TP connection on Windows 10, please visit:
https://www.youtube.com/watch?v=BYxcjcOxybs

 

3. Please note:

  • Don´t test the VPN connection inside the same subnet as your Local Policy! This will cause routing issues.
  • You can export the configuration file of the IPSec Client and provide it to different computers.
  • If your VPN tunnel does not build up even though to your knowledge everything has been set up correctly, it might be that your ISP is blocking IKE (Port 500) or NAT-T (Port 4500). Please contact your ISP to clarify this.
  • If there is no IPSec related traffic hitting your WAN interface, maybe the ISP is blocking ESP (Protocol 50). Please contact your ISP to clarify this.

 Also interesting:

 Do you want to have a look directly on one of our test devices? Have a look here in our virtual Lab:

Virtual LAB - Site to Site VPN

 

+++ You can buy licenses for your Zyxel VPN clients (SSL VPN, IPsec) with immediate delivery by 1-click: Zyxel Webstore +++

Articles in this section

Was this article helpful?
3 out of 8 found this helpful
Share

Comments

2 comments

Please sign in to leave a comment.

  • Is it mandatory to use the Zyxel VPN client to connect to a USG-20 or USG-60? Or can you use the Windows built in VPN connection provider as well?

    0
  • Hi Sjors van de Meulenreek

    You can also use build in VPN in Windows, it´s called "L2TP" VPN.

    0