VPN Linux StrongSwan-USG60
Hello,
I am trying to connect a desktop Ubuntu 20.04 to a remote USG60 with a public IP address. I use StrongSwan to try to establish an IPSec/IKEv2 connection to the USG60.
The connection seems to work, but it is disconnected right after. Would anyone know what is happening?
In attachement I put the log from the Linux desktop and the USG60 (log IKE). I also attach the configuration of StrongSwan and the VPN part of the USG60.
Thank you in advance.
0
Accepted Solution
-
Hi @GPX,
Zyxel firewall IKEv2 for VPN client support authentication with certificate + EAP-MSCHAPv2 only.
You can follow these steps to configure,
1. Create a self-sign certificate for IKEv2 rule.
(1)On GUI, go to Object > Certificate > My Certificates, click add.
(2)In subject, you can choice IP address and type-in your wan IP or Domain name type-in the dns name of your wan IP. And in Extended Key Usage select all type.
2. Download certificate to your Ubuntu client.
On My Certificates page, select the certificate. Then click Download. Don't type-in password and click OK. You'll get a xxxx.crt file.
3. Configure VPN gateway rule
(1)On VPN gateway rule, authentication select "certificate" instead of PSK. And select the certificate created in step 1.
(2) In the bottom of page, Enable Extended Authentication Protocol(EAP) and choice server mode.
4. Configure VPN connection rule
(1)On VPN connection rule, Enable Configuration Payload.
Select an IP address range for VPN clients. (You need to create in Object > Address first)
Also, give DNS server address for VPN client
5. Go to Ubuntu client, disable not-support EAP method.
(1)Edit /etc/strongswan.conf, add charon-nm settings to disable EAP-PEAP, EAP-MD5, EAP-GTC.charon {load_modular = yesplugins {include strongswan.d/charon/*.conf}}charon-nm {plugins {eap-peap {load = no}eap-md5 {load = no}eap-gtc {load = no}}}include strongswan.d/*.conf
6. Configure VPN settings in network manager
(1) In certificate, select the downloaded certificate file. And Authentication select EAP.0
All Replies
-
Hi @GPX,
Zyxel firewall IKEv2 for VPN client support authentication with certificate + EAP-MSCHAPv2 only.
You can follow these steps to configure,
1. Create a self-sign certificate for IKEv2 rule.
(1)On GUI, go to Object > Certificate > My Certificates, click add.
(2)In subject, you can choice IP address and type-in your wan IP or Domain name type-in the dns name of your wan IP. And in Extended Key Usage select all type.
2. Download certificate to your Ubuntu client.
On My Certificates page, select the certificate. Then click Download. Don't type-in password and click OK. You'll get a xxxx.crt file.
3. Configure VPN gateway rule
(1)On VPN gateway rule, authentication select "certificate" instead of PSK. And select the certificate created in step 1.
(2) In the bottom of page, Enable Extended Authentication Protocol(EAP) and choice server mode.
4. Configure VPN connection rule
(1)On VPN connection rule, Enable Configuration Payload.
Select an IP address range for VPN clients. (You need to create in Object > Address first)
Also, give DNS server address for VPN client
5. Go to Ubuntu client, disable not-support EAP method.
(1)Edit /etc/strongswan.conf, add charon-nm settings to disable EAP-PEAP, EAP-MD5, EAP-GTC.charon {load_modular = yesplugins {include strongswan.d/charon/*.conf}}charon-nm {plugins {eap-peap {load = no}eap-md5 {load = no}eap-gtc {load = no}}}include strongswan.d/*.conf
6. Configure VPN settings in network manager
(1) In certificate, select the downloaded certificate file. And Authentication select EAP.0 -
Hi @GPX
Here are the guides on how to establish a VPN connection with Linux StrongSwan.
If you would like to build up tunnel with IKEv1, you can follow the guide to complete the settings.0 -
Hi @Ian31 and @Zyxel_Jerry,The solution proposed by lan31 worked for me, thank you very much! We spent a lot of time trying to figure it out, finally your answer solved our problemZyxel_Jerry, thanks for the documentation, however StrongSwan proposes only IKEv2 (at least in the GUI with the version I have installed).Thanks again for the responses0
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 102 Nebula Status and Incidents
- 5.8K Security
- 302 USG FLEX H Series
- 283 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 255 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.7K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight