Connect USG40W to a VPN service?
Best Answers
-
Hi @JJP
USG could establish VPN tunnel to another VPN server without problem.
But before establish VPN tunnel we must to know correct Pre-shared key, Certificate, Proposal, Algorism, Auth account…etc.
The VPN server which you mentioned: MordVPN/ ExpressVPN/AviraVPN.
As we know these VPN server provide their own software/App to establish the tunnel.
If the software follows the standard without adding their own proprietary behavior, the VPN should be able to be established
5 -
Hi @JJP
The NordVPN is requesting router be a client role to establishing the tunnel.
USG support for PPTP connecting but without security algorism, so not sure if able connecting with NordVPN.
L2TP function on USG is a server role, and currently USG does not support for Open VPN client.
5 -
I think USG support both PPTP & L2TP client.
(1) Go to Object > ISP account, create an account profile with preferred protocol (PPTP or L2TP) and key-in the server IP or DNS name in the IP Address/FQDN field.
(2) Go to Network > Interface > PPP page. Add a user configuration interface.
Add interface name, (ex. nordvpn)
Base interface: (ex. wan1, if it's the original Internet wan port)
Zone: WAN
ISP account profile: select the one your create in step 1.
(3) Go to Network > Routing, Policy route page. Add route rule with pptp or l2tp interface as next-hop
6 -
Hi @Ian31
Thanks for your sharing of it.
In PPP interface, it supports L2TP/PPTP tunnel to connect to the remote site.
But the server may require additional security authentication.
We can’t guarantee if the tunnel can be established successfully.
5
All Replies
-
Hi @JJP
USG could establish VPN tunnel to another VPN server without problem.
But before establish VPN tunnel we must to know correct Pre-shared key, Certificate, Proposal, Algorism, Auth account…etc.
The VPN server which you mentioned: MordVPN/ ExpressVPN/AviraVPN.
As we know these VPN server provide their own software/App to establish the tunnel.
If the software follows the standard without adding their own proprietary behavior, the VPN should be able to be established
5 -
Thank you for the response. This leads top 1 additional question: NordVPN informs me that things might work, under the condition stated: "In order to setup VPN client connection on your router, it [USG40W] has to support at least one of these connection types: PPTP, L2TP or OpenVPN. Furthermore, it [USG40W] has to support it as a "Client" (as opposed to a "Server") to allow you to connect it to NordVPN servers."
I know USG40W supports PPTP, L2TP, leaves the question, can USG40W be setup as client?0 -
Hi @JJP
The NordVPN is requesting router be a client role to establishing the tunnel.
USG support for PPTP connecting but without security algorism, so not sure if able connecting with NordVPN.
L2TP function on USG is a server role, and currently USG does not support for Open VPN client.
5 -
I think USG support both PPTP & L2TP client.
(1) Go to Object > ISP account, create an account profile with preferred protocol (PPTP or L2TP) and key-in the server IP or DNS name in the IP Address/FQDN field.
(2) Go to Network > Interface > PPP page. Add a user configuration interface.
Add interface name, (ex. nordvpn)
Base interface: (ex. wan1, if it's the original Internet wan port)
Zone: WAN
ISP account profile: select the one your create in step 1.
(3) Go to Network > Routing, Policy route page. Add route rule with pptp or l2tp interface as next-hop
6 -
Hi @Ian31
Thanks for your sharing of it.
In PPP interface, it supports L2TP/PPTP tunnel to connect to the remote site.
But the server may require additional security authentication.
We can’t guarantee if the tunnel can be established successfully.
5 -
Hi I have the same question i have a USG 60W and thinking of a Nord VPN account.
Is this possible Anyone done this with success ??
0 -
Been quite busy, not attempted to configure this. Still on the agenda to try.
It is like this: “Life is what happens to you, while you're busy making other plans.” (John Lennon)
1 -
NordVpn does not run PPTP / L2TP anymore as they tell me it's out of date and not secure. But they provide Ipsec / IKEv2. but i need to have a root sertificate on the router I'v tried to figure out how to get the certificate to the router, and tried to configure the client on my USG60 but with no success. The user name and pwd is in algorithm MSCHAPv2 is this one not supported on usg and can i upload a sertificate and add it to my cert list ??
0 -
Well a bit closer. under IPsec VPN I can add a connection and enable Extended Authentication Protocol, there under the client part I think I have mschapv2 but when I enter my user information email adress It wont accept the @ and still Dont know where to put my cert anyone who knows ?? Im trying to learn this the hard way.. I tried to import it to TRUSTED certs, but from there i cant access is from the dialog when setting up VPN, and when im trying to import it to MYcerts i get an error. errno: -17010 errmsg: PKI certificate request does not exist what am i doing wrong ??
0 -
Hi MAD I'd like to know this myself.
I'm having a ghastly time trying to get a certificate based "machine authentication" or "L2TP certificate" based authentication working for USG appliances with Apple's MacOS 10.12+/13/14/15 and iOS 13.
The cause of the error is highly likely to be the implementation of the Certificate(s) used or generating from the CA.
- tried use from Certificates in USG and also
- generating from OPENSSL and lastly
- even LetEncrypt -
Be it known that the IkEV1 Phase 1/Phase2 works 100% reliably using a PRE-SHRAED key - something we don't want to use for mass use for a client.
I'm especially interested in IKEv2 however regardless of IKEV2 or IKEV1 I have this consistent errors:
Peer IP address mismatch
IKEv1 Error : No proposal chosen
In this example IkEv1 using MacOS L2TP Machine Authentication (and User / pwd)
Mar 13 21:00:57 myrouter src="218.XXX.XXX.60: 500" dst="XXX.XXX.108.99:500" msg="Send:[NOTIFY:NO_PROPOSAL_CHOSEN]" note="IKE_LOG" user="unknown" devID="1c740dfec31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg="IKEv1 SA [Responder] negotiation failed:" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Local IKE peer 218.XXX.XXX.60:500 ID (null)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Remote IKE peer XXX.XXX.108.99:500 ID (null)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Message: No proposal chosen (14)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Reason:" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Peer IP address mismatch" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" IKEv1 Error : No proposal chosen" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:01:02 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg="Starting DNS query" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
dLike many, we've followed the Zyxel documentation to the letter as well as others but can not progress any further. than the above when trying to deploy Certificates for machine or user authentication.
The failure is clearly in the tunnel setup and not the user authentication.
Any clues from Zyxel or others would be most helpful .
Warwick
Hong Kong
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight