This article will show you how to configure IKEv2 IPsec VPN with certificate using SecuExtender on both Windows and MacOS. It will show you how to configure the VPN on the firewall (USG FLEX / ATP / VPN Series in stand-alone / on-premise mode) as well as showing how to get rid of the TGBErrorCodeMgrNotCreated.description error on MacOS.
Note: For IOS 17 a key group is used: DH19 must be used
Table of Content
A) Configure IKEv2 on the Firewall
- Log in to the unit by entering its IP address and the credentials for an admin account (by default, the username is “admin” and the password is “1234”)
- Navigate to Configuration > Object > Address/Geo IP, click “Add” to create an object of the “Address Type” “Range”. Name it “IKEv2_Pool” and type in an IP range that is not overlapping with your subnets
- Create another IP Address object to allow the IKEv2 clients access to the internet through the VPN tunnel later on. Choose the type “Range”, name it “All_Traffic” for example, type in “0.0.0.0” for the “Starting IP Address” and “255.255.255.255” for the “End IP Address”.
- Navigate to Configuration > Object > User/Group and click “Add” to create new users.
- Click the tab “Group” and click “Add” to create an “IKEv2_Users” group and add the needed users by marking them and click the arrow pointing right.
- Navigate to Configuration > Object > Certificate, click “Add”, choose “Host Domain Name”, type in the domain name or DynDNS, scroll down to “Extended Key Usage” and tick the three checkboxes “Server Authentication”, “Client Authentication” and “IKE Intermediate” and click “OK”.
- Double-click on this certificate and scroll down to use “Export Certificate Only".
- Navigate to Configuration > Network > VPN > IPSec VPN and click “Add”, click “Show Advanced Settings”, tick “Enable”, choose “IKEv2”, choose “Dynamic Address” under “Peer Gateway Address”, tick “Certificate” under “Authentication” and choose your previously created certificate.
- Scroll down to choose your desired proposals under “Phase 1 Settings”, tick “Enable Extended Authentication Protocol”, choose “Server Mode”, leave “AAA Method” at “default” and choose your previously created “IKEv2_Users” group for “Allowed Users” before finally clicking “OK”.
- Now open the tab “VPN Connection” above, click “Add”, click “Show Advanced Settings”, tick “Enable”, choose “Remote Access (Server Role)” for the “Application Scenario”, choose your previously created VPN gateway for “VPN Gateway”, under “Local Policy” choose the previously created IP range object “All_Traffic”.
- Tick “Enable Configuration Payload”, choose the “IKEv2_Pool” object as your “IP Address Pool” (The DNS Servers are optional), choose your desired proposals for the VPN Connection and finally click “OK” to finish the configuration of the VPN connection.
- Now navigate to Configuration > Object > Network > Routing, click “Add”, tick “Enable”, choose “Tunnel” for “Incoming”, choose the previously created IPSec connection for “Please select one member”, choose the “IKEv2_Pool” for the “Source Address” and finally choose your WAN Interface or the WAN Trunk as the “Next Hop” before finally clicking “OK”.
B) Configure SecuExtender Client
- Open the IPSec client, right-click on the “IKE V2” folder on the left-hand side to add a new “Ikev2Gateway”, enter the domain name you also entered in the certificate on the USG for the “Remote Gateway” and choose the matching proposals under “Cryptography”.
- Right-click on the VPN Gateway on the left-hand side to add the VPN Connection, choose the “Address type” “Subnet Address”, type in the subnet address and subnet mask of the local subnet on the USG site, to which the clients should have access to and choose the matching proposals for the VPN connection.
- If the “Child SA Life Lifetime” is not matching with the one configured on the USG, please adjust it before finally open the tunnel by performing a right-click again on the VPN Connection on the left-hand side.
C) Can't import .tgb-file on MacOS
If you're getting this TGB-file error "TGBErrorCodeMgrNotCreated.description", on your MacOS, this is related to privacy settings in the MacOS. You need to allow SecuExtender to be trusted in your operating system.
Navigate to settings -> Privacy & Security -> Security and select "App Store and identified developers". Then "SecuExtender VPN Client" should appear, and you need to press "Allow":
Now you can import the .tgb-file successfully into the SecuExtender Client on MacOS to get your configuration.
+++ You can buy licenses for your Zyxel VPN clients (SSL VPN, IPsec) with immediate delivery by 1-click: Zyxel Webstore +++