Connect USG40W to a VPN service?

Olibert

Dear Zyxel: please work on an OpenVPN update.. We home users bought your HW to have top security and cannot buy your yearly licenses.. The work has turned OpenXXX !

danyedinak

warwickt said:

Hi MAD I'd like to know this myself.

I'm having a ghastly time trying to get a certificate based "machine authentication" or "L2TP certificate" based authentication working for USG appliances with  Apple's MacOS 10.12+/13/14/15 and  iOS 13.

The cause of the error is highly likely to be the implementation of the Certificate(s) used or generating from the CA.

• tried use from Certificates in USG and also
• generating from OPENSSL and lastly
• even LetEncrypt -

Be it known that the IkEV1 Phase 1/Phase2 works 100% reliably using a PRE-SHRAED key - something we don't want to use for mass use for a client.

I'm especially interested in IKEv2 however regardless of IKEV2 or IKEV1 I have this consistent errors:

Peer IP address mismatch

IKEv1 Error : No proposal chosen

In this example IkEv1 using  MacOS L2TP Machine Authentication (and User / pwd)

Mar 13 21:00:57 myrouter src="218.XXX.XXX.60: 500" dst="XXX.XXX.108.99:500" msg="Send:[NOTIFY:NO_PROPOSAL_CHOSEN]" note="IKE_LOG" user="unknown" devID="1c740dfec31c" cat="IKE"
Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg="IKEv1 SA [Responder] negotiation failed:" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Local IKE peer 218.XXX.XXX.60:500 ID (null)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Remote IKE peer XXX.XXX.108.99:500 ID (null)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Message: No proposal chosen (14)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Reason:" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg="  Peer IP address mismatch" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" IKEv1 Error : No proposal chosen" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
Mar 13 21:01:02 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg="Starting DNS query" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"

dLike many, we've followed the Zyxel documentation to the letter as well as others but can not progress any further. than the above when trying to deploy Certificates for machine or user authentication.

The failure is clearly in the tunnel setup and not the user authentication.

Any clues from Zyxel or others would be most helpful .

Warwick

Hong Kong

I highly recommend using IKEv2 instead of L2TP. In either case, you'll need to make sure that the encryption and authentication proposals that you are using in both Phase 1 and Phase 2 (Gateway and Connection) match those available on your client device. If you are using any Windows based devices, you will have to manually increase the security to meet the minimum, otherwise it may time out before it finds an acceptable match. On Mac, you should be able to use AES256/SHA512 or AES256/SHA256 with DH14. Just be sure to specify the matching proposal on the client machine rather than leaving it to find one itself or it will probably fail.

Zyxel_Charlie

Hi @ Olibert

Currently ZyWALL/USG doesn't support OpenVPN. You may use Zyxel Secuextender or IPSec Vpn client application to instead of it.

However, thanks for your suggestion and we will evaluate it in the future if it is beneficial.

Lou_S

Hi @MAD , not sure if you are still trying to solve this.  I'm also stuck, but can probably help you move forward a little with IPSEC.

The username to put in EAP is not the email address/pw you use to login to Nord.  If you login, you can get your account username and password through the web interface by selecting nordvpn service on the left and then scrolling down to "service credentials". 

Also, if you upload the nordvpn.der certificate into your trusted certificates, it looks like the zywall uses it even though you can only select things in "my certificates".  I have "default" selected as the cert and I believe its using the trusted one anyway.

With the above 2 changes, I'm able to get a successful authentication message in phase 1 and complete SA.  I'm now stuck at the end of phase 1 or beginning of phase 2, passing the cookie pair back and forth in a loop between the zywall and nord. Would help a lot if nord would just tell us the proper config settings like timeouts, ESP vs AH, etc but they seem to not want to share the config info one needs to connect to them.  I will likely cancel nord if I cant make it work

takoykrutoy

Lou-S,

how do I import the cert from my VPN provider on the USG60?  I have tried and tried. I need it to import so I can select it for authentication via IKEV2 with NordVPN

zyman2008

takoykrutoy,

how do I import the cert from my VPN provider on the USG60?  I have tried and tried. I need it to import so I can select it for authentication via IKEV2 with NordVPN

Login USG, go to Configuration > Object > Certificate > Trusted Certificates.
Click the Import button and select the NordVPN certificate.

But I don't think USG IKEv2 can working with NordVPN or other IKEv2 VPN server.

If I understood correctly,
USG IPSec is works as Network to Network VPN. And as a VPN server for VPN clients.
But not works like a VPN client.

A VPN client need to have these capabilities,
- built a virtual interface after VPN dial-up
- request an IP address/DNS server address, routing ... for the virtual interface
- Auto convert source IP address to the VPN interface IP for all traffic go into the VPN tunnel