[VPN] Zyxel USG FLEX/ATP VPN [Quick Setup] - Configure IKEv2 IPSec on Android (Quick Setup) with Zyxel Firewall

Starting with ZLD 5.20, USG FLEX and ATP devices support predefined settings for both SecuExtender IPSec and non-SecuExtender IPSec VPN clients. In this article, we will guide you through using the VPN setup wizard for remote access (Quick Setup). We will also demonstrate how to configure StrongSwan on Android using the quick setup script, manually install certificates, and configure StrongSwan to establish a VPN tunnel using IKEv2 with EAP-MSCHAPv2 authentication.

Note: You can also use this if L2TP VPN has been removed on your Android version 12+.

Keep in mind: Once you have configured the VPN using Quick Setup, you can always modify the settings later. For example, you can add or change groups or include additional proposals as needed.

However, be aware that manual changes may impact the operation of devices initially configured using the quick setup script.

If you need to re-enter the Quick Setup script and start from the beginning—such as when downloading the script again—any manual changes you previously made will be overwritten. But don't worry, you can simply apply those manual changes again after running the setup.

Note: The IP addresses in the figure are, for example, only and are not relevant to the article as a whole. They may be different in your case. 

Configuring VPN via Quick Setup

Login to your Firewall WEB GUI and go into Quick Setup, and choose Remote Access VPN and then IKEv2 IPSec Client (Zyxel SecuExtender, non-SecuExtender)

Use this if you are using the Zyxel SecuExtender IPSec VPN client or a computer operating system that supports IPSec VPN with IKEv2 (non-SecuExtender VPN client). You can create a Full Tunnel or Split Tunnel VPN rule with Zyxel SecuExtender VPN client. You can only create a Full Tunnel VPN rule with non-SecuExtender VPN client.

Configure the IP Address Pool for the client.

The IP address pool will use a select non-used subnet on the device to avoid setting up the same subnet. The IP address Pool will begin at 192.168.50.1 If the subnet 192.168.50.1 exists in the gateway settings, the IP address pool will automatically change.

Add or create users who will have VPN access. Once users are added, click Next and review all settings to ensure accuracy. You can now either download an automated script to configure the VPN or configure it manually using a certificate.

After successful VPN configuration, you can download and install the script files on Windows, MacOS, iOS, or Android devices to automatically configure VPN settings.

Note: The VPN settings for Non-SecuExtender IPSec VPN Clients do not support the following features:

  • Upload Bandwidth Limit
  • Spilt Tunnel
  • Two-factor Authentication (Google Authenticator)

Important: Users on iOS 18 or later and Mac OS 14 Sonoma Cannot use the script and need to configure it manually. In this article, in the settings section for iPhone and MacOS, you will find a more detailed description of the necessary steps. 

Keep in mind: To minimize configuration errors and other potential issues, we recommend using a script for installation. However, you can also manually install and configure the certificate directly on your endpoint device. Detailed instructions for manual certificate installation and VPN configuration can be found in the "Manual Certificate Configuration"  section.

Configuring StrongSwan VPN on Android via Quick Setup Script

 

  • Download StrongSwan from the Google Play Store
  • Send the Script to the mobile device via email
  • Save Script on your mobile Device
  • Open the StrongSwan App
  • Click “ADD VPN PROFILE
  • Import VPN profile
  • Select a previously saved script
  • Fill in the username and password and Save
  • Click on the created profile
  • Wait a few seconds for the connection to be established

Configuring StrongSwan VPN on Android by installing a certificate and manually creating a VPN profile

How to download a certificate

Navigate to Configuration -> Object -> Certificate, select the VPN certificate, and press "Download" to download the certificate.

Note: The "Password" field should be left blank as we need to download the crt certificate to use it in the StrongSwan client on Android. If you fill in the password, the certificate format will be pfx; this is not suitable for our case. 

If you're having trouble selecting the correct certificate from your list, you can identify the required certificate for a specific VPN by checking the VPN settings. 

Configuration - VPN - IPSec VPN - VPN Gateway - Open settings of the VPN of interest 

In the “Authentication” section, you will see which certificate is selected for your VPN. 

Now, you can attach this certificate to an email you send to the users, explaining how to install it and connect to the VPN.

Manual configuration of StrongSwan VPN on Android (without script)

  • Download StrongSwan from the Google Play Store
  • Send the certificate to the mobile device via email 
  • Save the certificate to the mobile device (don't try to install the certificate directly from the mail; just saves it)
  • Open the StrongSwan App
  • Click on the three tokens in the right corner and select “CA Certificate.”
  • Select “Import certificate.
  • Select a previously saved certificate and click “Import Certificate.”
  • Click on the three tokens in the right corner and select “CA Certificate.”
  • If the certificate is successfully imported, you will see the message “Certificate successfully imported.

 

 

  • Next, go back to the StrongSwan main menu and click “Add VPN Profile.”

In the VPN profile configuration form that appears, please fill in all required fields:

  • Server - public IP address of your firewall
  • VPN Type - IKEv2 EAP (Username/Password)
  • CA Certificate - select automatically
  • Profile name (optional) - any user-friendly name

Articles in this section

Was this article helpful?
7 out of 14 found this helpful
Share