With USG FLEX / ATP devices (since ZLD 5.20), you can provision predefined settings on your device to SecuExtender IPSec and non-SecuExtender IPSec VPN clients.
This article will show you how to use Remote Access VPN Setup Wizard to quickly set up a VPN tunnel using IKEv2 with EAP-MSCHAPv2 authentication.
You can use this as well if L2TP VPN has been removed on your Android version 12+.
1. Log in to the Web GUI of your USG-FLEX / ATP, click Quick Setup, then select Remote Access VPN Setup to build up a VPN tunnel with the wizard.
2. Select Remote Access VPN Setup, and choose Zyxel VPN Client (SecuExtender IPSec).
3. Configure the VPN Authentication Method
(1) Choose Incoming Interface
(2) Choose a Certificate for VPN Validation
(3) Select the tunnel type Full Tunnel and enable the check box of Allow Client VPN Traffic Through WAN.
4. Configure the IP Address Pool for the client
The IP address pool will use auto select non-used subnet on the device to avoid setting up the same subnet. The IP address Pool will begin at 192.168.50.1
If the subnet 192.168.50.1 exists in the gateway settings, the IP address pool will automatically change to the 192.168.51.1 subnet.
5. Allow local users to access the device via VPN tunnel
If you have not created the local users for remote VPN access, you can set up the local user here to allow the user to access the network through the VPN tunnel.
6. After done all the steps in the wizard, you can choose to use either SecuExtender IPSec or non- SecuExtender IPSec VPN clients (iOS/macOS, Windows, Strongswan-Android) to provision the VPN settings
- SecuExtender IPSec VPN client: Click the Save button to complete the wizard
- Non-SecuExtender IPSec VPN client: Click to Non-SecuExtender VPN Client on the left-hand side, then choose which device’s operating system you want to download the script to install.
7. (Optional) Since ZLD5.10, Remote Access VPN Setup Wizard uses DH group 14 for VPN phase 1 setting. You can add a maximum of 3 DH groups. If you use a perpetual SecuExtender IPSec VPN client with default DH group 2, you can manually add more DH groups on ATP/USG FLEX to avoid re-provisioning.
On ATP/USG FLEX Web GUI, go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, edit the RemoteAccess_Wiz. In Phase 1 Settings, you can add more Key Group (DH)
Test the result
1. Download strongSwan from Google Play Store
2. Send the Script to the device via email
3. Import the Script into strongSwan and enter Username, Password
4. Now, it can connect.