VPN Primer needed for my USG 100 Flex

tesagig

I like to configure my USG 100 Flex to connect with clients when traveling:

1.) for added security

2.) circumvent country blocks for entertainment

Can I do this with USG 100? Essentially, the client would use my ISP (Comcast)?

Can I do this with laptop and iOS using generic VPN clients?

PeterUK

Not sure how much bandwidth the USG flex 100 will do but you can setup a VPN server role and clients can connect to exit out your Comcast.

StefanZ

Technically this is the definition of VPN – but as noted, a VPN will not give you "full speed" unless you buy a really oversized one. A single user on the FLEX200 I manage will give me a max. of around 60MBit / sec. with both ISP being in the same country/city and both DSL lines are GBit. – that's about 1/2 of the maximum upload rate on the server side.

Smaller appliances give less speed. But of cause all traffic through there is well protected.

tesagig

I might give it a try. Also not sure about latency. USG is in US with client in EU.

In order to make this work with ios and a laptop, what VPN server configuration do I need to select?

Assuming on the laptop as simple as this:

https://support.microsoft.com/en-us/windows/connect-to-a-vpn-in-windows-3d29aeb1-f497-f6b7-7633-115722c1009c

PeterUK

You may need to setup two VPN one IKEv1 and IKEv2 with Pre-Shared Key some phones removed IKEv1 but windows don't support IKEv2 with Pre-Shared Key.

or you can make a Certificate but you would need to import to each devices

tesagig

So, I would pick: "remote access (server role)"?

I think I got everything setup. However, When i try to connect form my ipad I see access is blocked on USG

Security Policy Control	Match default rule, DROP [count=4]

Do I need to open the firewall for VPN?

PeterUK

Theirs I bit to configure that at first you might not understand I sure didn't when doing it my first time.

Here is as quick walk-through for IKEv1
go to VPN gateway tab and add
IKEv1
on my address you can set the incoming interface clients come in on and easy is way is select Domain Name / IPv4 with 0.0.0.0
Dynamic Address
your Pre-Shared Key
negotiation mode Main
advanced
Proposal
#1 3DES SHA1
#2 AES128 SHA1
key group DH2
uncheck Two-factor Authentication

on VPN connection tab add
Remote Access (Server Role)
your VPN gateway you made
Local policy your WAN interface IP or 0.0.0.0 for any
Phase 2 Setting advance
Encapsulation Transport
Proposal
#1 AES256 SH1
#2 3DES SH1
Perfect forward secrecy none
zone IPSec_VPN

L2TP VPN section
VPN connection you made
IP subnet
allowed user you make
DNS to use

Policy Control rule
WAN to Zywall ESP , IKE, L2TP-UDP and NATT
IPSec_VPN to Zywall ESP , IKE, L2TP-UDP and NATT
IPSec_VPN to WAN

A routing rule
incoming tunnel your VPN you made
next hop WAN

tesagig

much appreciated!

those settings were crucial:

Just one thing, I don't have anything in L2TP VPN section

Just in IPSEC VPN section

I don't get any log errors. However, the ipad does not yet connect.

I see a couple of IKE logs, but just info

[SA] : No proposal chosen (this seems like an issue?)

info	IKE	The cookie pair is :

PeterUK

Your ipad might only support IKEv2 ?

tesagig

yes, but I made a IKEv2 vpn.

I am actually seeing this log [SA] : No proposal chosen

on ipad I selected my WAN IP for both server and "remote ID" field. Other than that the user name and password

PeterUK

With IKEv2 the encryption that the device expects are not the same as IKEv1

for Phase 1 Settings what works for me
proposal
#1 AES128 SHA256
key group DH14 this might need changing

for Phase 2 Settings what works for me
Encapsulation Tunnel
proposal
#1 AES128 SHA256
Perfect forward secrecy DH2