[VPN] Zyxel USG FLEX/ATP VPN [Quick Setup] - Configure IKEv2 IPSec VPN via Wizard with Certificate on Android / iPhone iOS / Windows / MacOS

In this guide, you will learn how to configure an IKEv2 IPsec VPN using the setup Wizard (Quick Setup) on Zyxel Firewall VPN/USG FLEX/ATP series and how to connect to it on Android, iPhone (iOS), Windows PCs, and Mac computers using both Zyxel SecuExtender and the native client. We will also cover specific considerations for configuring VPNs on iOS devices, mobile devices running version 18 and higher, and PCs with Sonoma firmware or later. 

Note: The IP addresses in the figure are, for example, only and are not relevant to the article as a whole. They may be different in your case. 

Configuring VPN via Quick Setup

Login to your Firewall WEB GUI and go into Quick Setup, and choose Remote Access VPN and then IKEv2 IPSec Client (Zyxel SecuExtender, non-SecuExtender)

Use this if you are using the Zyxel SecuExtender IPSec VPN client or a computer operating system that supports IPSec VPN with IKEv2 (non-SecuExtender VPN client). You can create a Full Tunnel or Split Tunnel VPN rule with Zyxel SecuExtender VPN client. You can only create a Full Tunnel VPN rule with non-SecuExtender VPN client.

Configure the IP Address Pool for the client.

The IP address pool will use a select non-used subnet on the device to avoid setting up the same subnet. The IP address Pool will begin at 192.168.50.1 If the subnet 192.168.50.1 exists in the gateway settings, the IP address pool will automatically change.

Add or create users who will have VPN access. Once users are added, click Next and review all settings to ensure accuracy. You can now either download an automated script to configure the VPN or configure it manually using a certificate.

After successful VPN configuration, you can download and install the script files on Windows, MacOS, iOS, or Android devices to automatically configure VPN settings.

Note: The VPN settings for Non-SecuExtender IPSec VPN Clients do not support the following features:

  • Upload Bandwidth Limit
  • Spilt Tunnel
  • Two-factor Authentication (Google Authenticator)

Important: Users on iOS 18 or later and Mac OS 14 Sonoma Cannot use the script and need to configure it manually. In this article, in the settings section for iPhone and MacOS, you will find a more detailed description of the necessary steps. 

Keep in mind: To minimize configuration errors and other potential issues, we recommend using a script for installation. However, you can also manually install and configure the certificate directly on your endpoint device. Detailed instructions for manual certificate installation and VPN configuration can be found in the "Manual Certificate Configuration"  section.

Using VPN Script on Windows

Save the archive with the script to your computer, unzip the folder, and then run the script under administrator rights (it is a file with bat extension). 

After the installation is successful, go to the VPN settings on your PC. There, you will find the created VPN connection. Click connect. Next, enter the username and password.

Using VPN Script on Android

For Android users, please install StrongSwan and follow this article: 

Using VPN Script on iPhone

Important: Users on iOS 18 or later and Mac OS 14 Sonoma Cannot use the script and need to configure it manually.  This is due to Apple's increased security requirements for IKEv2 VPN encryption. To solve this problem, you must make Key Group and Proposal changes to the Phase 1 Settings and Phase 2 Settings of the previously created VPN connection using Quick Setup (Wizzard). 

To proceed, please return to the web GUI of your firewall. From the left-hand menu, select "Configuration", then navigate to "VPN." Open the configuration settings for the relevant VPN connection and add proposal with the following settings in Phase 2 Setting: 

Proposal

  • Encryption: AES256
  • Authentication: SHA256.

Next, go to the "VPN Gateway" tab, where we need to update the Phase 1 Settings as follows:

Proposal

  • Encryption: AES256
  • Authentication: SHA256

Key Group: DH2 DH14 DH19

After making changes, don't forget to apply them by clicking on the “Apply” button

The next step is to download the certificate for our VPN connection and install it on your device.

How to download a certificate

Navigate to Configuration -> Object -> Certificate, select the VPN certificate, and press "Download" to download the certificate.

Now, you can either decide to export the certificate with a password to make it secure and ensure it won't get into the wrong hands or leave it blank to export the certificate without a password to install. 

Now, you can attach this certificate to an email you send to the users, explaining how to install it and connect to the VPN.

iPhone iOS 18 and higher: Manual Certificate Installation and VPN Configuration

Now, let's move on to the settings on the iPhone itself.  Download the certificate sent by mail, for example, to your iPhone. 

Note: These changes do not affect existing VPN connections, regardless of how they were made, either by “Quick Setup” or manually. 

Send the certificate by mail, for example. On your Iphone, open the mail message containing the certificate and execute it. 

After you have completed the certificate, a new profile will appear in your device settings. To find it, go to the settings of your Iphone

Сlick on "Profile Downloaded": Click on "Install": Click on "Install":
Now have a verified certificate:  Go to Settings -> VPN & Device Click "Add VPN"
Enter the WAN IP address of your firewall in the “Server” and “Remote ID” fields, as well as the user name and password.  Make the connection and wait until the status is “Connected”, this usually takes a few seconds. 

Windows 10 and higher: Manual Certificate Installation and VPN Configuration

Double-click the certificate with the left mouse button and click “Open” in the new opened window Click on the “Install Certificate” button

You can also try to double-click on the certificate click "Install Certificate..." and Click "Next"

Select whether the certificate will be available to all users on the computer or only to the current user.  Click "Place all certificates in the following store" and choose "Trusted Root Certification Authorities"
Almost there, press “Finish” Then we take it with a warning and we're done! 

Now, let's configure the VPN profile itself. To do this on your PC, go to the VPN section. 

Use the Windows search and, search for VPN, and select the "VPN settings" from the Windows search bar:  In the new window that opens, click “Add a VPN connection”

MAC OS 14 Sonoma and higher: Manual Certificate Installation and VPN Configuration

Double-click on the certificate and select the "keychain" "system." Click on the WiFi symbol and "Network Settings." Then click on the "+" sign below your WiFi connections.
Ska_rmavbild_2022-02-23_kl._08.48.45.png
mceclip0.png

Click on the WiFi symbol and "Network Settings." Then click on the "+" sign below your WiFi connections and Create an IKEv2 VPN as shown below.

mceclip0.png
Ska_rmavbild_2022-02-23_kl._08.50.24.png

Fill in IP Address / FQDN, Remote ID, and then click on authentication settings below. Choose a username and enter your user name and password.

mceclip1.png
mceclip1.png

Zyxel SecuExtender

SecuExtender adapts the Zero Trust principle to help IT verify users' identities, enforcing admission control to increase security.  A license is required to use SecuExtender. But you can download it for free and test the free trial version by clicking here: SecuExtender VPN Client

This article will look at configuring Zyxel SecuExtender using the Windows client as an example. However, the macOS procedure is identical except for a slight difference in the application's design. 

 Open the app and click “Configuration” in the top left corner. In the drop-down menu, you will find 2 “Get from Server” and “Wizard.”

Both options are very simple. When selecting “Get from Server”, you need to know the name or address and the username and password of the VPN user. In the case of Wizard, you can make additional changes during configuration. 

The VPN profile download was successful. Now go to the main menu, and you will see the new VPN profile in the list on the left. Please double-click left and enter your username and password. Done. The connection is successful! 

 Please note that “Certificate check” should be disabled if you use a default and self-signed CA.

Articles in this section

Was this article helpful?
8 out of 20 found this helpful
Share