VPN Primer needed for my USG 100 Flex

tesagig
tesagig Posts: 60  Ally Member
First Comment Friend Collector Fourth Anniversary

I like to configure my USG 100 Flex to connect with clients when traveling:

1.) for added security

2.) circumvent country blocks for entertainment

Can I do this with USG 100? Essentially, the client would use my ISP (Comcast)?

Can I do this with laptop and iOS using generic VPN clients?

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Not sure how much bandwidth the USG flex 100 will do but you can setup a VPN server role and clients can connect to exit out your Comcast.

  • StefanZ
    StefanZ Posts: 202  Master Member
    First Comment First Answer Friend Collector Community MVP
    edited May 2023

    Technically this is the definition of VPN – but as noted, a VPN will not give you "full speed" unless you buy a really oversized one. A single user on the FLEX200 I manage will give me a max. of around 60MBit / sec. with both ISP being in the same country/city and both DSL lines are GBit. – that's about 1/2 of the maximum upload rate on the server side.

    Smaller appliances give less speed. But of cause all traffic through there is well protected.

  • tesagig
    tesagig Posts: 60  Ally Member
    First Comment Friend Collector Fourth Anniversary

    I might give it a try. Also not sure about latency. USG is in US with client in EU.

    In order to make this work with ios and a laptop, what VPN server configuration do I need to select?

    Assuming on the laptop as simple as this:

    https://support.microsoft.com/en-us/windows/connect-to-a-vpn-in-windows-3d29aeb1-f497-f6b7-7633-115722c1009c

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You may need to setup two VPN one IKEv1 and IKEv2 with Pre-Shared Key some phones removed IKEv1 but windows don't support IKEv2 with Pre-Shared Key.

    or you can make a Certificate but you would need to import to each devices

  • tesagig
    tesagig Posts: 60  Ally Member
    First Comment Friend Collector Fourth Anniversary
    edited May 2023

    So, I would pick: "remote access (server role)"?

    I think I got everything setup. However, When i try to connect form my ipad I see access is blocked on USG

    Security Policy Control

    Match default rule, DROP [count=4]

    Do I need to open the firewall for VPN?

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Theirs I bit to configure that at first you might not understand I sure didn't when doing it my first time.

    Here is as quick walk-through for IKEv1
    go to VPN gateway tab and add
    IKEv1
    on my address you can set the incoming interface clients come in on and easy is way is select Domain Name / IPv4 with 0.0.0.0
    Dynamic Address
    your Pre-Shared Key
    negotiation mode Main
    advanced
    Proposal
    #1 3DES SHA1
    #2 AES128 SHA1
    key group DH2
    uncheck Two-factor Authentication

    on VPN connection tab add
    Remote Access (Server Role)
    your VPN gateway you made
    Local policy your WAN interface IP or 0.0.0.0 for any
    Phase 2 Setting advance
    Encapsulation Transport
    Proposal
    #1 AES256 SH1
    #2 3DES SH1
    Perfect forward secrecy none
    zone IPSec_VPN

    L2TP VPN section
    VPN connection you made
    IP subnet
    allowed user you make
    DNS to use

    Policy Control rule
    WAN to Zywall ESP , IKE, L2TP-UDP and NATT
    IPSec_VPN to Zywall ESP , IKE, L2TP-UDP and NATT
    IPSec_VPN to WAN

    A routing rule
    incoming tunnel your VPN you made
    next hop WAN

  • tesagig
    tesagig Posts: 60  Ally Member
    First Comment Friend Collector Fourth Anniversary
    edited May 2023

    much appreciated!

    those settings were crucial:

    Just one thing, I don't have anything in L2TP VPN section

    Just in IPSEC VPN section

    I don't get any log errors. However, the ipad does not yet connect.

    I see a couple of IKE logs, but just info

    [SA] : No proposal chosen (this seems like an issue?)

    info

    IKE

    The cookie pair is :

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Your ipad might only support IKEv2 ?

  • tesagig
    tesagig Posts: 60  Ally Member
    First Comment Friend Collector Fourth Anniversary
    edited May 2023

    yes, but I made a IKEv2 vpn.

    I am actually seeing this log [SA] : No proposal chosen

    on ipad I selected my WAN IP for both server and "remote ID" field. Other than that the user name and password

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 2023

    With IKEv2 the encryption that the device expects are not the same as IKEv1

    for Phase 1 Settings what works for me
    proposal
    #1 AES128 SHA256
    key group DH14 this might need changing

    for Phase 2 Settings what works for me
    Encapsulation Tunnel
    proposal
    #1 AES128 SHA256
    Perfect forward secrecy DH2

Security Highlight