Windows 10/11 VPN native client cannot connect to USG Flex 700H Remote Access VPN behind NAT router

NoCoZFR

Hi all,

We can't manage to connect to our USG Flex 700H remote Access VPN using Windows 10/11 native client using Zyxel generated configuration files. The strange thing is that it works on android !

You'll find below all the setup and tests we've made, hope this could help 🙏

Here is our Setup :

We have an USG Flex 700H which is located behind our ISP router (Freebox pro). The ISP router can't be setup in bridge mode (the only solution is to create a DMZ with all ports redirected to the USG Flex 700H.

The USG Flex 700H is connected to the ISP router using GE2 port with 192.168.124.10 as its WAN IP (LAN network is 192.168.44.x). For understanding purposes let's say our public IP address is 1.2.3.4

We want to use the native Windows VPN client to connect to the VPN (and therefore are using the installation script generated by the USG Flex 700h). When doing this the script contains the WAN IP adress as the server IP adress (192.168.124.10), so the conf file looks like as follows :

set Name="RemoteAccess_192.168.124.10"
set ServerAddress="192.168.124.10"
set TunnelType="IKEv2"
set AuthenticationMethod="EAP"
set EncryptionLevel="Required"
set UseWinlogonCredential=$False
set RememberCredential=$False
set SplitTunneling=$False
set IKEEnc="AES128"
set IKEAuth="SHA256"
set IKEKey="Group2,Group14"
set ESPEnc="AES128"
set ESPAuth="SHA256128"
set ESPPfs="None"

So I modified it this way before executing :

set Name="TEST14"
set ServerAddress="1.2.3.4"
set TunnelType="IKEv2"
set AuthenticationMethod="EAP"
set EncryptionLevel="Required"
set UseWinlogonCredential=$False
set RememberCredential=$False
set SplitTunneling=$False
set IKEEnc="AES128"
set IKEAuth="SHA256"
set IKEKey="Group2,Group14"
set ESPEnc="AES128"
set ESPAuth="SHA256128"
set ESPPfs="None"

Note that the generated/provided certificate is delivered to "192.168.124.10" (not my public IP address then).

Once the script has been executed the TEST14 VPN connection appears in my VPN Connections. When I launch it, it asks for my users credentials and then I have this error 🤔 (IKE Credentials are unacceptable)

The thing is that this issue is related to Windows VPN client ONLY because I have no issue on my Android phone using the generated Android StrongSwan configuration file (it works perfectly).

So I guess the problem is purely related to Windows VPN Client configuration. There might be something I'm missing somewhere but I don't know what and where to look… so any help would really be appreciated.

Please find below the logs on the 700H when using the Windows client followed by the remote access VPN Setup :

Remote Access VPN Setup :

• Incoming Interface : ge2 (WAN)
• Certificate for VPN validation : auto
• Client will use VPN to access : Internet and local networks (full tunnel) + Auto SNAT Enabled
• Client Network :
  • IP Adress Pool : 192.168.50.0/24
  • First DNS Server : Zywall
• Authentication :
  • Primary Server : local
  • User : vpnusers (group that included the user we created for testing purposes)

In advanced Settings :

• Phase 1 :
  • SA Life Time : 86400
  • Proposal :
    • Encryption AES128 Authentication SHA256
    • DH Groups : DH2, DH14, DH21
• Phase 2 :
  • SA Lifetime : 28800
  • Proposal :
    • Encryption AES128 Authentication : SHA256
    • Perfec Forward Secrecy : None

Many thanks in advance for all the Help you could provide us 😉

Zyxel_Jeff

Hi @NoCoZFR

Additionally, since your USG Flex 700H is behind NAT, the USG Flex 700H's ge2 interface will get a private IP, and the CN domain name of the generated certificate will also be the private IP.

Therefore, please follow below steps to set up the remote VPN:

• 1. Navigate to System > Certificate to generate a certificate with the WAN IP (e.g., 1.2.3.4). Set the key type to RSA-SHA256, Key Length to 2048, and Life Length to 5 Years. Enable Server Authentication, Client Authentication, and IKE Intermediate.

• 2. Manually select the self-signed certificate for the Remote VPN certificate.

• 3. Once you download the Windows script file, edit the server address to the WAN IP 1.2.3.4.

• 4. Doble-click the .bat file to install the script file

• Thanks.

NoCoZFR

Thanks for your help, the issue was with the certificate pointing to the wrong IP. So I generated a new certificate with domain name and it finally worked. Thanks a lot !

Zyxel_Jeff

Hello @NoCoZFR

To exclude any script installation issues, simply double-click the .bat file after downloading it to your Windows PC. This will automatically install it on your PC. Then, attempt to establish the remote VPN connection to verify if it works.

If you still have a problem, please let us know. Thanks.

Zyxel_Jeff

Hi @NoCoZFR

Additionally, since your USG Flex 700H is behind NAT, the USG Flex 700H's ge2 interface will get a private IP, and the CN domain name of the generated certificate will also be the private IP.

Therefore, please follow below steps to set up the remote VPN:

• 1. Navigate to System > Certificate to generate a certificate with the WAN IP (e.g., 1.2.3.4). Set the key type to RSA-SHA256, Key Length to 2048, and Life Length to 5 Years. Enable Server Authentication, Client Authentication, and IKE Intermediate.

• 2. Manually select the self-signed certificate for the Remote VPN certificate.

• 3. Once you download the Windows script file, edit the server address to the WAN IP 1.2.3.4.

• 4. Doble-click the .bat file to install the script file

• Thanks.

PeterUK

You can use a DDNS with certificate if your WAN IP changes but you have to install the Intermediate certification authorities after you run the .bat

NoCoZFR

Thanks for your help, the issue was with the certificate pointing to the wrong IP. So I generated a new certificate with domain name and it finally worked. Thanks a lot !

JoostGroot

We have the same issue, but not behind NAT. Just public IP. VPN gives the same message:

The public IP is the same as the certificate. The certificate is in trusted cert store. VPN is installed with the Batch file.

Wish the L2TP vpn would still be available or the Flex series should just be Nebula managed.

PeterUK

And it is a public IP you got when you go to whats my IP and it matches?

Try with a simple user name and password for the VPN as a test

ticsystems

https://community.zyxel.com/en/discussion/comment/71608#Comment_71608

Check that the certificate is correct.
Every time you make a change in the configuration, a new certificate is created and you have to download the script again.
The best thing you can do is generate the certificate manually and force it in the configuration.

AMI

I have the same issue on windows 11, on windows 8 its no problem.

IKE authentication credentials are unacceptable

• also, the script throws an error
• WARNING: Use SetVpnConnectionIpSecConfiguration -RevertToDefault to reset Custom Encryption
  Set-VpnConnectionIPsecConfiguration : Cannot process argument transformation on parameter 'DHGroup'. Cannot convert
  value "Group2,Group14,ECP256" to type
  "Microsoft.PowerShell.Cmdletization.GeneratedTypes.VpnConnectionIPsecConfiguration.DHGroup" due to enumeration values
  that are not valid. Specify one of the following enumeration values and try again. The possible enumeration values are
  "None,Group1,Group2,Group14,ECP256,ECP384,Group24".
  At line:1 char:144
• ... 6 -IntegrityCheckMethod SHA256 -DHGroup Group2,Group14,ECP256 -Cipher ...
• ~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : InvalidData: (:) [Set-VpnConnectionIPsecConfiguration], ParameterBindingArgumentTransfor
    mationException
  • FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-VpnConnectionIPsecConfiguration

The problem seems to be in the DH group, but i dont know how to fix it.
I can leave but one and it works (set IKEKey="Group14")

Second error

WARNING: Use SetVpnConnectionIpSecConfiguration -RevertToDefault to reset Custom Encryption
Set-VpnConnectionIPsecConfiguration : Cannot process argument transformation on parameter 'CipherTransformConstants'.
Cannot convert value "3DES" to type
"Microsoft.PowerShell.Cmdletization.GeneratedTypes.VpnConnectionIPsecConfiguration.CipherTransformConstants". Error:
"Unable to match the identifier name 3DES to a valid enumerator name. Specify one of the following enumerator names
and try again:
DES, DES3, AES128, AES192, AES256, GCMAES128, GCMAES192, GCMAES256, None"
At line:1 char:178

• ... Method SHA256 -DHGroup Group14 -CipherTransformConstants 3DES -Authen ...
• ~~~~
  • CategoryInfo : InvalidData: (:) [Set-VpnConnectionIPsecConfiguration], ParameterBindingArgumentTransfor
    mationException
  • FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-VpnConnectionIPsecConfiguration

Updated the RemoteAccess_87.128.227.157 VPN connection
Press any key to continue . . .

This time it does not like 3DES

not sure why this is in there

set ESPEnc="3DES"
set ESPAuth="SHA196"

i change it to AES256/SHA256

Now it works - the install at least.

The IKE issue remains, on win11 no go, win8 no problem (win8 was not scripted but manual install)

AMI

Add back L2tp with pre shared KEY - stop downgrading features of the H model.

AMI

Well, I found the issue/workaround

Registry Key

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasMan\Parameters

set a new (if not there already) Dword32 named "DisableIKENameEkuCheck" and set it to 1

it will work afterwards

Credit for this goes to a user "Brink2Three on github having such issue with strongswan from 03/2023

Quote" While building out a similar configuration, I'm getting error 13801 on windows clients as well. Specifically it seems to be related to the IKE Name EKU check run by windows when checking the certificate."

https://github.com/strongswan/strongswan/discussions/1351