Remote Access VPN on USG LITE

Zyxel_Richard

Remote Access VPN on USG LITE

Introduction

The latest update brings remote access VPN capabilities to the USG LITE series. The USG LITE series can now support secure remote access for users. This article highlights the differences between the remote access VPN features of USG LITE and firewall models.

Key Differences

Authentication Methods:

• Firewalls: Support Nebula Cloud Authentication Server, external AD server, and external RADIUS server for authenticating VPN users.
• USG LITE: Supports only the Nebula Cloud Authentication Server. This aligns with the policy to manage USG LITE purely via cloud servers.

VPN Protocols:

• Firewalls: Support both IPsec VPN server and L2TP over IPsec VPN server.
• USG LITE: Supports only IPsec VPN. This is because L2TP is becoming less common, and there is a shift towards IPsec VPN, with potential future support for SSL VPN.

Configuration Options:

• Firewalls: Allow customization of VPN policies, including advanced settings for IPsec policies.
• USG LITE: Uses fixed policies with no option for customization. The advanced settings allow only setting the client VPN subnet.

Enabling Remote Access VPN on USG LITE

Navigate to Remote Access VPN:

• Go to your Nebula site.
• Select the USG LITE device and navigate to the Remote Access VPN section.

Select Authentication:

• Ensure that Nebula Cloud Authentication is selected.

Configure IPsec VPN:

• Enable IPsec VPN.
• Set the client VPN subnet.
• Note that there are no advanced options for policy customization as there are with firewall models.

Additional Features

Auto-Provisioning with Secure Extender VPN Client:

• The USG LITE will push the required IPsec proposals to the Secure Extender VPN client, minimizing the need for manual configuration on the client side.

Third-Party VPN Client Support:

• If using a third-party VPN client, download the VPN configuration script from the USG LITE interface.
• This script can be used to import the VPN profile into third-party software.

Example Configuration

For example, on a firewall, you might configure:

• IPsec Phase 1: Encryption (AES-256), Authentication (SHA-256), DH Group (Group 14)
• IPsec Phase 2: Encryption (AES-256), Authentication (SHA-256), PFS (Enabled)

However, on a USG LITE device, these settings are fixed and automatically provisioned to the client.

Summary

The remote access VPN feature in USG LITE series enhances the security capabilities by providing secure remote access for users. Although it has fewer customization options compared to firewall models, it offers a streamlined, cloud-managed solution that is easy to deploy and manage.