VPN Primer needed for my USG 100 Flex
I like to configure my USG 100 Flex to connect with clients when traveling:
1.) for added security
2.) circumvent country blocks for entertainment
Can I do this with USG 100? Essentially, the client would use my ISP (Comcast)?
Can I do this with laptop and iOS using generic VPN clients?
All Replies
-
Not sure how much bandwidth the USG flex 100 will do but you can setup a VPN server role and clients can connect to exit out your Comcast.
0 -
Technically this is the definition of VPN – but as noted, a VPN will not give you "full speed" unless you buy a really oversized one. A single user on the FLEX200 I manage will give me a max. of around 60MBit / sec. with both ISP being in the same country/city and both DSL lines are GBit. – that's about 1/2 of the maximum upload rate on the server side.
Smaller appliances give less speed. But of cause all traffic through there is well protected.
0 -
I might give it a try. Also not sure about latency. USG is in US with client in EU.
In order to make this work with ios and a laptop, what VPN server configuration do I need to select?
Assuming on the laptop as simple as this:
0 -
You may need to setup two VPN one IKEv1 and IKEv2 with Pre-Shared Key some phones removed IKEv1 but windows don't support IKEv2 with Pre-Shared Key.
or you can make a Certificate but you would need to import to each devices
0 -
So, I would pick: "remote access (server role)"?
I think I got everything setup. However, When i try to connect form my ipad I see access is blocked on USG
Security Policy Control
Match default rule, DROP [count=4]
Do I need to open the firewall for VPN?
0 -
Theirs I bit to configure that at first you might not understand I sure didn't when doing it my first time.
Here is as quick walk-through for IKEv1
go to VPN gateway tab and add
IKEv1
on my address you can set the incoming interface clients come in on and easy is way is select Domain Name / IPv4 with 0.0.0.0
Dynamic Address
your Pre-Shared Key
negotiation mode Main
advanced
Proposal
#1 3DES SHA1
#2 AES128 SHA1
key group DH2
uncheck Two-factor Authenticationon VPN connection tab add
Remote Access (Server Role)
your VPN gateway you made
Local policy your WAN interface IP or 0.0.0.0 for any
Phase 2 Setting advance
Encapsulation Transport
Proposal
#1 AES256 SH1
#2 3DES SH1
Perfect forward secrecy none
zone IPSec_VPNL2TP VPN section
VPN connection you made
IP subnet
allowed user you make
DNS to usePolicy Control rule
WAN to Zywall ESP , IKE, L2TP-UDP and NATT
IPSec_VPN to Zywall ESP , IKE, L2TP-UDP and NATT
IPSec_VPN to WANA routing rule
incoming tunnel your VPN you made
next hop WAN0 -
much appreciated!
those settings were crucial:
Just one thing, I don't have anything in L2TP VPN section
Just in IPSEC VPN section
I don't get any log errors. However, the ipad does not yet connect.
I see a couple of IKE logs, but just info
[SA] : No proposal chosen (this seems like an issue?)
info
IKE
The cookie pair is :
0 -
Your ipad might only support IKEv2 ?
0 -
yes, but I made a IKEv2 vpn.
I am actually seeing this log [SA] : No proposal chosen
on ipad I selected my WAN IP for both server and "remote ID" field. Other than that the user name and password
0 -
With IKEv2 the encryption that the device expects are not the same as IKEv1
for Phase 1 Settings what works for me
proposal
#1 AES128 SHA256
key group DH14 this might need changingfor Phase 2 Settings what works for me
Encapsulation Tunnel
proposal
#1 AES128 SHA256
Perfect forward secrecy DH20
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight