IKEv2 and Windows 11 on standalone ATP500

AlexandervonW
AlexandervonW Posts: 12  Freshman Member
First Comment

Hi there,

because the actual IPSec client from Zyxel does not support ARM proccessors, i had to configure VPN IPSec IKEv2 to use the buildin Windows 11 VPN client.

That raises a bunch of questions:

  1. How can i use a trusted certificate instead of the "buildin". I cannot use the official bought FQDN based cert, because while generating the VPN connection with the wizard (only way to get a Windows 11 installation script) i cannot choose a certificate!
  2. I cannot use any AD (local Active Directory) user to auth in this new VPN config. The wizard creates a group and i have to select a user, but changing this in VPN gateway setting does result in error after connecting and using AD user for auth. Other IPSec connections are working fine with AD users.
  3. I can only setup Windows 11 to use the VPN in full tunnel mode. But then, i cannot connect from the same computer to the internet/firewall for getting and acepting the 2FA E-Mail, because there is no internet connection before acepting 2FA.

Any help would be highly appreciated.

Alexander

All Replies

  • Zyxel_James
    Zyxel_James Posts: 739  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    a. You can select Manual as VPN validation for your imported certificate, please note that this filed is is available only if the IP/Domain is matched to the CN in the certificate.

    image-d3b79e5e837bd-2201.jpeg

    b. VPN Wizard is not allowed to select ext-users, for a workaround, you need to create an Auth method first, then select the AAA method to your created auth-method, and change Allowed user to your ext-user.

    image-be0f9c1ab72d-42f9.jpeg image-acfaa0afe1d54-1fae.jpeg

    c. Yes, it's expected behavoir when using Full Tunnel model, you cannot access external services (like email) until the connection is verified. This is consistent behavoir acroos different vendors. In this case, please use another device to access your email to retrieve the verification code.