VPN - Configure IKEv2 VPN with Android via StrongSwan

With USG FLEX / ATP devices (since ZLD 5.20), you can provision predefined settings on your device to SecuExtender IPSec and non-SecuExtender IPSec VPN clients.

This article will show you how to use Remote Access VPN Setup Wizard to quickly set up a VPN tunnel using IKEv2 with EAP-MSCHAPv2 authentication.
You can use this as well if L2TP VPN has been removed on your Android version 12+.


Set up VPN Tunnel on ATP / USG FLEX

1. Log in to the Web GUI of your USG-FLEX / ATP, click Quick Setup, then select Remote Access VPN Setup to build up a VPN tunnel with the wizard.



2. Select Remote Access VPN Setup, and choose Zyxel VPN Client (SecuExtender IPSec).


3. Configure the VPN Authentication Method

(1) Choose Incoming Interface

(2) Choose a Certificate for VPN Validation

(3) Select the tunnel type Full Tunnel and enable the check box of Allow Client VPN Traffic Through WAN.


4. Configure the IP Address Pool for the client

The IP address pool will use auto select non-used subnet on the device to avoid setting up the same subnet. The IP address Pool will begin at

If the subnet exists in the gateway settings, the IP address pool will automatically change to the subnet.


5. Allow local users to access the device via VPN tunnel

If you have not created the local users for remote VPN access, you can set up the local user here to allow the user to access the network through the VPN tunnel.


6. After done all the steps in the wizard, you can choose to use either SecuExtender IPSec or non- SecuExtender IPSec VPN clients (iOS/macOS, Windows, Strongswan-Android) to provision the VPN settings

-  SecuExtender IPSec VPN client: Click the Save button to complete the wizard 


- Non-SecuExtender IPSec VPN client: Click to Non-SecuExtender VPN Client on the left-hand side, then choose which device’s operating system you want to download the script to install.


7. (Optional) Since ZLD5.10, Remote Access VPN Setup Wizard uses DH group 14 for VPN phase 1 setting. You can add a maximum of 3 DH groups. If you use a perpetual SecuExtender IPSec VPN client with default DH group 2, you can manually add more DH groups on ATP/USG FLEX to avoid re-provisioning.

On ATP/USG FLEX Web GUI, go to CONFIGURATION > VPN > IPSec VPN > VPN Gateway, edit the RemoteAccess_Wiz. In Phase 1 Settings, you can add more Key Group (DH) 

Test the result

For Android:

1. Download strongSwan from Google Play Store



2. Send the Script to the device via email 

3. Import the Script into strongSwan and enter Username, Password


4. Now, it can connect.


Something went wrong? 


Make sure that everything is configured according to the VPN settings on your firewall:







Articles in this section

Was this article helpful?
7 out of 14 found this helpful



Please sign in to leave a comment.

  • Hi David.

    Thanks again for this config. Help me in a client.

    David i have replicated this config in a not so old USG 210.

    How to import sswan file in orther to work on the android phone.

    Best Regards.

  •  Hi Alexandre Silva!

    Thank you for your question.

    Our technical support team will contact you shortly.

    Best regards.