Windows 10/11 VPN native client cannot connect to USG Flex 700H Remote Access VPN behind NAT router

Options

Hi all,

We can't manage to connect to our USG Flex 700H remote Access VPN using Windows 10/11 native client using Zyxel generated configuration files. The strange thing is that it works on android !

You'll find below all the setup and tests we've made, hope this could help 🙏

Here is our Setup :

We have an USG Flex 700H which is located behind our ISP router (Freebox pro). The ISP router can't be setup in bridge mode (the only solution is to create a DMZ with all ports redirected to the USG Flex 700H.

The USG Flex 700H is connected to the ISP router using GE2 port with 192.168.124.10 as its WAN IP (LAN network is 192.168.44.x). For understanding purposes let's say our public IP address is 1.2.3.4

We want to use the native Windows VPN client to connect to the VPN (and therefore are using the installation script generated by the USG Flex 700h). When doing this the script contains the WAN IP adress as the server IP adress (192.168.124.10), so the conf file looks like as follows :

set Name="RemoteAccess_192.168.124.10"
set ServerAddress="192.168.124.10"
set TunnelType="IKEv2"
set AuthenticationMethod="EAP"
set EncryptionLevel="Required"
set UseWinlogonCredential=$False
set RememberCredential=$False
set SplitTunneling=$False
set IKEEnc="AES128"
set IKEAuth="SHA256"
set IKEKey="Group2,Group14"
set ESPEnc="AES128"
set ESPAuth="SHA256128"
set ESPPfs="None"

So I modified it this way before executing :

set Name="TEST14"
set ServerAddress="1.2.3.4"
set TunnelType="IKEv2"
set AuthenticationMethod="EAP"
set EncryptionLevel="Required"
set UseWinlogonCredential=$False
set RememberCredential=$False
set SplitTunneling=$False
set IKEEnc="AES128"
set IKEAuth="SHA256"
set IKEKey="Group2,Group14"
set ESPEnc="AES128"
set ESPAuth="SHA256128"
set ESPPfs="None"

Note that the generated/provided certificate is delivered to "192.168.124.10" (not my public IP address then).

Once the script has been executed the TEST14 VPN connection appears in my VPN Connections. When I launch it, it asks for my users credentials and then I have this error 🤔 (IKE Credentials are unacceptable)

The thing is that this issue is related to Windows VPN client ONLY because I have no issue on my Android phone using the generated Android StrongSwan configuration file (it works perfectly).

So I guess the problem is purely related to Windows VPN Client configuration. There might be something I'm missing somewhere but I don't know what and where to look… so any help would really be appreciated.

Please find below the logs on the 700H when using the Windows client followed by the remote access VPN Setup :

Remote Access VPN Setup :

  • Incoming Interface : ge2 (WAN)
  • Certificate for VPN validation : auto
  • Client will use VPN to access : Internet and local networks (full tunnel) + Auto SNAT Enabled
  • Client Network :
    • IP Adress Pool : 192.168.50.0/24
    • First DNS Server : Zywall
  • Authentication :
    • Primary Server : local
    • User : vpnusers (group that included the user we created for testing purposes)

In advanced Settings :

  • Phase 1 :
    • SA Life Time : 86400
    • Proposal :
      • Encryption AES128 Authentication SHA256
      • DH Groups : DH2, DH14, DH21
  • Phase 2 :
    • SA Lifetime : 28800
    • Proposal :
      • Encryption AES128 Authentication : SHA256
      • Perfec Forward Secrecy : None

Many thanks in advance for all the Help you could provide us 😉

Best Answers

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,131  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @NoCoZFR

    Additionally, since your USG Flex 700H is behind NAT, the USG Flex 700H's ge2 interface will get a private IP, and the CN domain name of the generated certificate will also be the private IP.

    Therefore, please follow below steps to set up the remote VPN:

    • 1. Navigate to System > Certificate to generate a certificate with the WAN IP (e.g., 1.2.3.4). Set the key type to RSA-SHA256, Key Length to 2048, and Life Length to 5 Years. Enable Server Authentication, Client Authentication, and IKE Intermediate.

    • 2. Manually select the self-signed certificate for the Remote VPN certificate.

    • 3. Once you download the Windows script file, edit the server address to the WAN IP 1.2.3.4.
    • 4. Doble-click the .bat file to install the script file
    • Thanks.

  • NoCoZFR
    NoCoZFR Posts: 3
    First Anniversary First Comment
    Answer ✓
    Options

    Thanks for your help, the issue was with the certificate pointing to the wrong IP. So I generated a new certificate with domain name and it finally worked. Thanks a lot !

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,131  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hello @NoCoZFR

    To exclude any script installation issues, simply double-click the .bat file after downloading it to your Windows PC. This will automatically install it on your PC. Then, attempt to establish the remote VPN connection to verify if it works.

    If you still have a problem, please let us know. Thanks.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,131  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @NoCoZFR

    Additionally, since your USG Flex 700H is behind NAT, the USG Flex 700H's ge2 interface will get a private IP, and the CN domain name of the generated certificate will also be the private IP.

    Therefore, please follow below steps to set up the remote VPN:

    • 1. Navigate to System > Certificate to generate a certificate with the WAN IP (e.g., 1.2.3.4). Set the key type to RSA-SHA256, Key Length to 2048, and Life Length to 5 Years. Enable Server Authentication, Client Authentication, and IKE Intermediate.

    • 2. Manually select the self-signed certificate for the Remote VPN certificate.

    • 3. Once you download the Windows script file, edit the server address to the WAN IP 1.2.3.4.
    • 4. Doble-click the .bat file to install the script file
    • Thanks.

  • PeterUK
    PeterUK Posts: 3,010 ✭✭✭✭✭
    Community MVP First Anniversary 10 Comments Friend Collector
    edited June 28
    Options

    You can use a DDNS with certificate if your WAN IP changes but you have to install the Intermediate certification authorities after you run the .bat

  • NoCoZFR
    NoCoZFR Posts: 3
    First Anniversary First Comment
    Answer ✓
    Options

    Thanks for your help, the issue was with the certificate pointing to the wrong IP. So I generated a new certificate with domain name and it finally worked. Thanks a lot !