Starting with ZLD 5.20, USG FLEX and ATP devices support predefined settings for both SecuExtender IPSec and non-SecuExtender IPSec VPN clients. In this article, we will guide you through using the VPN setup wizard for remote access (Quick Setup). We will also demonstrate how to configure StrongSwan on Android using the quick setup script, manually install certificates, and configure StrongSwan to establish a VPN tunnel using IKEv2 with EAP-MSCHAPv2 authentication.
Note: You can also use this if L2TP VPN has been removed on your Android version 12+.
- Click on the created profile
- Wait a few seconds for the connection to be established
Configuring StrongSwan VPN on Android by installing a certificate and manually creating a VPN profile
How to download a certificate
Navigate to Configuration -> Object -> Certificate, select the VPN certificate, and press "Download" to download the certificate.
Note: The "Password" field should be left blank as we need to download the crt certificate to use it in the StrongSwan client on Android. If you fill in the password, the certificate format will be pfx; this is not suitable for our case.
If you're having trouble selecting the correct certificate from your list, you can identify the required certificate for a specific VPN by checking the VPN settings.
Configuration - VPN - IPSec VPN - VPN Gateway - Open settings of the VPN of interest
In the “Authentication” section, you will see which certificate is selected for your VPN.
Now, you can attach this certificate to an email you send to the users, explaining how to install it and connect to the VPN.
Manual configuration of StrongSwan VPN on Android (without script)
- Download StrongSwan from the Google Play Store
- Send the certificate to the mobile device via email
- Save the certificate to the mobile device (don't try to install the certificate directly from the mail; just saves it)
- Open the StrongSwan App
- Click on the three tokens in the right corner and select “CA Certificate.”
- Select “Import certificate.”
- Select a previously saved certificate and click “Import Certificate.”
- Click on the three tokens in the right corner and select “CA Certificate.”
- If the certificate is successfully imported, you will see the message “Certificate successfully imported.”
- Next, go back to the StrongSwan main menu and click “Add VPN Profile.”
In the VPN profile configuration form that appears, please fill in all required fields:
- Server - public IP address of your firewall
- VPN Type - IKEv2 EAP (Username/Password)
- CA Certificate - select automatically
- Profile name (optional) - any user-friendly name