Setup Guide - IKEv2 VPN from Ubuntu 24.04 to an USGFLEX 200H

Peppino · November 20

Here's a step-by-step installation and configuration guide for setting up an IKEv2 VPN client on a clean Ubuntu 24.04 system, using EAP-MS-CHAPv2 authentication and a split-tunnel configuration, with working ping to the Zyxel Firewall's LAN and internet preserved. The Zyxel USG FLEX configuration is identical to the one used for Mac/Windows/Android clients.

Foreword:

On Ubuntu 24.04, the NetworkManager IKEv2 plugin just doesn’t implement EAP-MS-CHAPv2, which is what Zyxel requires. So if you try to connect via NM:

StrongSwan via NM sends EAP-IDENTITY first.
Zyxel USGFLEX 200H expects EAP-MS-CHAPv2.
Ubuntu responds with EAP-NAK → Zyxel USGFLEX rejects → EAP-FAIL.

There’s no way around this limitation in NM on 24.04.

The only practical solution is to bypass NetworkManager entirely and use a manual strongSwan setup, as follows. That means:

Creating /etc/ipsec.conf with the Zyxel-compatible IKEv2 and EAP-MS-CHAPv2 settings.
Creating /etc/ipsec.secrets for your username/password.
Optionally tweaking /etc/strongswan.d/charon/resolve.conf if you don’t want DNS integration issues.
Starting and initiating the connection manually:

sudo ipsec restart
sudo ipsec up zyxel

Yes, you lose the GUI convenience, but this method works reliably with Zyxel firewalls, supports EAP-MS-CHAPv2, which NM does not and lets you control routes, split-tunnel, and firewall rules explicitly.

Basically, on Ubuntu 24.04 with Zyxel IKEv2 + EAP-MS-CHAPv2, manual strongSwan is the only fully functional option.

NetworkManager’s IKEv2 plugin (charon-nm) on Ubuntu 24.04 simply does not implement EAP-MS-CHAPv2, and the strongSwan developers have stated for years that they do not plan to add it, EAP-MS-CHAPv2 is considered legacy and insecure and charon-nm only supports “certificate-based” EAP (TLS family) and EAP-PEAP (but not the MSCHAPv2 inner auth you need).

Ubuntu 24.04 Zyxel IKEv2VPN Setup Guide (EAP-MS-CHAPv2, Split Tunnel)

1. Update Ubuntu and install strongSwan then the cert

sudo apt update && apt upgrade -y && apt autoremove -y
sudo apt install strongswan strongswan-plugin-eap-mschapv2 libcharon-extra-plugins -y

This installs strongSwan with the necessary EAP-MS-CHAPv2 plugin.

If you had previously installed or set up anyNetworkManager based profile, please go ahead and delete it, to avoid conflict.

Create a directory for certificates

sudo mkdir -p /etc/ipsec.d/certs
sudo mkdir -p /etc/ipsec.d/private
sudo mkdir -p /etc/ipsec.d/cacerts

Import Zyxel firewall certificate

Export the Zyxel server certificate from the firewall or from a working client. You usually get a .crt file (ECDSA, SHA256). Make sure it is the one you use in the Remote Access VPN profile you have set up in the firewall.
Copy the certificate to your Ubuntu PC/VM:

sudo cp YOUR_CERTIFICATE_NAME.crt /etc/ipsec.d/cacerts/

Optional: verify it:

sudo ipsec listcerts

You should see:

CN=XXX.ddns.net  #my CN is a domain name as displayed here

2. Disable system DNSplugins (optional but recommended)

Edit the strongSwan resolve plugin configuration:

sudo nano /etc/strongswan.d/charon/resolve.conf

Add or edit the following:

resolve {    load = no
}

This disables strongSwan from attempting to push DNS to resolvconf/systemd-resolved (prevents invalid DNS errors).

3. Backup and edit /etc/ipsec.conf

sudo cp /etc/ipsec.conf /etc/ipsec.conf.baksudo nano /etc/ipsec.conf

Remove or comment any %default full-tunnel configurations that use rightsubnet=0.0.0.0/0.
Add the following split-tunnel configuration:

conn %default
  keyexchange=ikev2
  ike=aes256-sha256-modp2048
  esp=aes256-sha256
  rekey=no
  left=%defaultroute
  leftauth=eap-mschapv2
  leftsourceip=%config 
  auto=add

conn zyxel
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256
left=%defaultroute
leftauth=eap-mschapv2
leftsourceip=%config
leftfirewall=yes
right=XXX.XXX.XXX.XXX             # Replace with Zyxel fw WAN IP
rightauth=pubkey
rightid="fw.ddns.net"             # Zyxel certificate CN, mine is the DDNS name I use
rightsubnet=192.168.XXX.0/24      # Zyxel fw LAN subnet
auto=add
eap_identity=YOUR_USERNAME

Note: Replace XXX.XXX.XXX.XXX with your Zyxel WAN IP, and 192.168.XXX.0/24 with the Zyxel firewall's LAN subnet you need access to.

4. Configure secrets

sudo nano /etc/ipsec.secrets

Add your username and password for EAP-MS-CHAPv2:

"YOUR_USERNAME_HERE": EAP "YOUR_PASSWORD_HERE"

Replace YOUR_PASSWORD_HERE with your Zyxel VPN password.

5. Enable and startstrongSwan

sudo systemctl enable strongswan
sudo systemctl restart strongswan

6. Initiate the VPN

sudo ipsec up zyxel

Check the status:

sudo ipsec statusall

You should see:

IKE_SA zyxel[1] established
CHILD_SA zyxel{1} established with SPIs ...

7. Verify routing

ip route

Expected output:

192.168.XXX.0/24 dev ipsec0 proto kernel scope linkdefault via 172.19.0.1 dev eth0

This ensures split-tunnel: LAN traffic goes via VPN, Internet traffic stays on eth0.

8. Test connectivity

Ping the Zyxel firewall's LAN IP:

ping 192.168.XXX.254 or ping YOUR_FW_INSIDE_IP

Ping an existing internal host behind the Zyxel USGFLEX 200H:

ping 192.168.XXX.10

Ping Internet to ensure your normal route works:

ping 8.8.8.8

9. Troubleshooting Tips

Ensure right is the Zyxel WAN IP, not %any.
Do not use rightdns=0.0.0.0/0, this breaks DNS.
Verify the Zyxel VPN user has access to the LAN (192.168.XXX.0/24) and ICMP is allowed.
For full-tunnel, Zyxel must NAT VPN IPs to Internet, otherwise split-tunnel is safer.

Following these steps will give you a working IKEv2 VPN on Ubuntu 24.04 with:

EAP-MS-CHAPv2 authentication
Split-tunnel (LAN over VPN, Internet over local network)
Functional ping and routing

Good luck!

/Levente