IKEv2 and Windows 11 on standalone ATP500

AlexandervonW

Hi there,

because the actual IPSec client from Zyxel does not support ARM proccessors, i had to configure VPN IPSec IKEv2 to use the buildin Windows 11 VPN client.

That raises a bunch of questions:

1. How can i use a trusted certificate instead of the "buildin". I cannot use the official bought FQDN based cert, because while generating the VPN connection with the wizard (only way to get a Windows 11 installation script) i cannot choose a certificate!
2. I cannot use any AD (local Active Directory) user to auth in this new VPN config. The wizard creates a group and i have to select a user, but changing this in VPN gateway setting does result in error after connecting and using AD user for auth. Other IPSec connections are working fine with AD users.
3. I can only setup Windows 11 to use the VPN in full tunnel mode. But then, i cannot connect from the same computer to the internet/firewall for getting and acepting the 2FA E-Mail, because there is no internet connection before acepting 2FA.

Any help would be highly appreciated.

Alexander

Zyxel_USG_User

Another comment: by using the 'native' Win11 VPN capability, one has to 'pass through' traffic for a few native windoze files which are constant targets for replacement with malfunctioning ones.

I had the file names once they popped up onto the local Windows firewall when using the built-in VPN functionality, to be allowed to connect to and from the internet, but as I moved to SecuExtender because of this reason, I did not keep records about the involved files. I am sure you can find that info on the net.

Zyxel_James

a. You can select Manual as VPN validation for your imported certificate, please note that this filed is is available only if the IP/Domain is matched to the CN in the certificate.

b. VPN Wizard is not allowed to select ext-users, for a workaround, you need to create an Auth method first, then select the AAA method to your created auth-method, and change Allowed user to your ext-user.

c. Yes, it's expected behavoir when using Full Tunnel model, you cannot access external services (like email) until the connection is verified. This is consistent behavoir acroos different vendors. In this case, please use another device to access your email to retrieve the verification code.

AlexandervonW

Hi Zyxel_James,

first, many thanks for your help. I tried your proposals, but had no luck.

What i did:

1. changed to Domain name

2. choose imported trusted certificate within manual, it shows up, just had to selct it.

3. Imported the new configuration with "Configuration Provisioning"

4. Then opening connection from Zyxel SecuExtender IPSec client (actual version) runs into an error. Client log shows the following.

SecuExtender VPN Client 7.5.008
20250606 16:00:21:546 Reading configuration...
20250606 16:00:21:799 No SSL configuration
20250606 16:00:21:888 TIKEV2_RemoteAccess_Wiz Unauthorized key usage in user certificate.
20250606 16:00:21:888 TIKEV2_RemoteAccess_Wiz PKI chain is incomplete
20250606 16:00:21:972 TIKEV2_RemoteAccess_Wiz configuration NOK
20250606 16:00:24:038 [VPNCONF] TGBIKE_STARTED received
20250606 16:00:35:406 TIKEV2_RemoteAccess_Wiz SEND IKE_SA_INIT request MID=0000 [HDR][SA][KE][NONCE][N(NAT_DETECTION_SOURCE_IP)][N(NAT_DETECTION_DESTINATION_IP)][VID][N(SIGNATURE_HASH_ALGORITHMS)]
20250606 16:00:35:711 TIKEV2_RemoteAccess_Wiz RECV IKE_SA_INIT response MID=0000 [HDR][SA][KE][NONCE][N(NAT_DETECTION_SOURCE_IP)][N(NAT_DETECTION_DESTINATION_IP)][N(HTTP_CERT_LOOKUP_SUPPORTED)][CERTREQ][VID][VID][VID][VID][VID][VID]
20250606 16:00:35:711 TIKEV2_RemoteAccess_Wiz IKE SA I-SPI E8F5BFCFF0096E93 R-SPI AD6A063261621822
20250606 16:00:35:714 TIKEV2_RemoteAccess_Wiz SEND IKE_AUTH request MID=0001 [HDR][IDi][N(INITIAL_CONTACT)][CERTREQ][CP][N(ESP_TFC_PADDING_NOT_SUPPORTED)][SA][TSi][TSr]
20250606 16:00:40:715 TIKEV2_RemoteAccess_Wiz SEND IKE_AUTH repeat MID=0001 [HDR][IDi][N(INITIAL_CONTACT)][CERTREQ][CP][N(ESP_TFC_PADDING_NOT_SUPPORTED)][SA][TSi][TSr]
20250606 16:00:45:728 TIKEV2_RemoteAccess_Wiz SEND IKE_AUTH repeat MID=0001 [HDR][IDi][N(INITIAL_CONTACT)][CERTREQ][CP][N(ESP_TFC_PADDING_NOT_SUPPORTED)][SA][TSi][TSr]
20250606 16:00:45:784 TIKEV2_RemoteAccess_Wiz RECV IKE_AUTH response MID=0001 [HDR][IDr][CERT][AUTH][EAP(REQUEST/Identity)]
20250606 16:00:45:788 TIKEV2_RemoteAccess_Wiz Failed to import "CN = vpnin.domainxyz.com"
20250606 16:00:45:788 TIKEV2_RemoteAccess_Wiz Rejecting certificate "CN = vpnin.domainxyz.com" sent by the gateway
20250606 16:00:45:788 TIKEV2_RemoteAccess_Wiz Remote endpoint was not authenticated. Negociation is stopped.
20250606 16:00:45:788 TIKEV2_RemoteAccess_Wiz SEND INFORMATIONAL request MID=0002 [HDR][N(AUTHENTICATION_FAILED)]

5. Then i choose the standard cert, which worked fine, just the cert error, while opening the 2FA website via the local ip address, but in the end it worked.

I really do not get it, especially the part, when i selected our own trusted cert, which i do not export and import, but only use within the cert field in the phase 1 VPN connection.

Any help would be highly appreciated!

Alexander

AlexandervonW

About the AD user auth, i need time to look into that again, but many thanks for trying to help….

Zyxel_USG_User

Chiming in only for this part:

" I can only setup Windows 11 to use the VPN in full tunnel mode. But then, i cannot connect from the same computer to the internet/firewall for getting and acepting the 2FA E-Mail, because there is no internet connection before acepting 2FA."

That is a general problem if you use the mail for 2FA, no matter the platform brand etc. Whilst establishing the IPSec connection, one is in 'limbo state' because … there is no full connection yet :)

Just a suggestion- why don't you enable the 2FA on smartphone(s) for example? You can configure each user with their own 2FA on their own smartphone, it saves a lot of flexing and adapting elsewhere.

Zyxel_USG_User

Another comment: by using the 'native' Win11 VPN capability, one has to 'pass through' traffic for a few native windoze files which are constant targets for replacement with malfunctioning ones.

I had the file names once they popped up onto the local Windows firewall when using the built-in VPN functionality, to be allowed to connect to and from the internet, but as I moved to SecuExtender because of this reason, I did not keep records about the involved files. I am sure you can find that info on the net.

AlexandervonW

Yeah, i thought about that too, but without using Nebula, which has so less feature that the appliance, it is really a pain to setup google auth (actually, i as admin have to do this with the users…)…

But many thanks anyway…

AlexandervonW

https://community.zyxel.com/en/discussion/comment/78048#Comment_78048

Sorry, did not wanted to make this the answer, how cann i revert this…

AlexandervonW

https://community.zyxel.com/en/discussion/comment/78047#Comment_78047

Funny thing about atht is, that if you use the "Zyxel Secuextender VPN Client v. 7.7", with IPSecv2 connection, then after establishing the connection, the browser windows for accepting 2FA pops up and you get a connection to the firewall through the LAN IP and 2FA port! Why is that working?

Zyxel_USG_User

2FA works for the USG's only with SecuExtender, AFAIK.

I do not use yet 2FA, because I could not use the StrongSwan IPSec VPN tunnel for smartphones anymore, nor the native IPSec VPN's from Windoze and MacOze.

As I understand it: when the 2FA pops up in SecuExtender, just after you enter the code the tunnel is completely established. If you wait for the email, it will not get through as the tunnel has not been established and secured.

This is why I would use an MFA app, even if it is a pain to set up with each individual user. With a remote access session, just to set it up with their smartphone ready to read the QR code for their personal user profile, that works.