How to Set Up IKEv2 VPN with EAP-MS-CHAPv2 on Ubuntu 24.04 Using strongSwan?
Zyxel Employee
Question: How do I configure an IKEv2 VPN client on Ubuntu 24.04 to connect to a Zyxel USG FLEX H firewall using EAP-MS-CHAPv2 authentication with split-tunnel?
Answer:On Ubuntu 24.04, NetworkManager's IKEv2 plugin (charon-nm) does not support EAP-MS-CHAPv2, which is required by Zyxel firewalls. When attempting to connect via NetworkManager, Ubuntu sends EAP-IDENTITY first, but the Zyxel USG FLEX H expects EAP-MS-CHAPv2, resulting in EAP-NAK → EAP-FAIL.
The solution is to bypass NetworkManager and configure strongSwan manually. This approach supports EAP-MS-CHAPv2, allows explicit control over routes, split-tunnel, and firewall rules.
Note: The Zyxel USG FLEX H configuration is identical to the one used for Mac/Windows/Android clients.
Step 1: Install strongSwan and Required Plugins
Update your system and install strongSwan with the EAP-MS-CHAPv2 plugin:
sudo apt update && apt upgrade -y && apt autoremove -y sudo apt install strongswan strongswan-plugin-eap-mschapv2 libcharon-extra-plugins -y
If you have any existing NetworkManager-based VPN profiles, delete them to avoid conflicts.
Step 2: Import the Zyxel Firewall Certificate
Create the required certificate directories:
sudo mkdir -p /etc/ipsec.d/certs sudo mkdir -p /etc/ipsec.d/private sudo mkdir -p /etc/ipsec.d/cacerts
Export the server certificate from your Zyxel firewall (the same certificate used in your Remote Access VPN profile) and copy it to your Ubuntu system:
sudo cp YOUR_CERTIFICATE_NAME.crt /etc/ipsec.d/cacerts/
Verify the certificate installation:
sudo ipsec listcerts
You should see output showing your certificate's CN.
CN=XXX.ddns.net #my CN is a domain name as displayed here
Step 3: Disable DNS Plugin (Optional but Recommended)
To prevent DNS integration issues with systemd-resolved, disable the strongSwan resolve plugin:
sudo nano /etc/strongswan.d/charon/resolve.conf
Add or modify:
resolve { load = no
}
Step 4: Configure /etc/ipsec.conf
Backup and edit the IPsec configuration:
sudo cp /etc/ipsec.conf /etc/ipsec.conf.baksudo nano /etc/ipsec.conf
- Remove or comment any
%defaultfull-tunnel configurations that userightsubnet=0.0.0.0/0. - Add the following split-tunnel configuration:
conn %default
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256
rekey=no
left=%defaultroute
leftauth=eap-mschapv2
leftsourceip=%config
auto=add conn zyxel
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256
left=%defaultroute
leftauth=eap-mschapv2
leftsourceip=%config
leftfirewall=yes
right=XXX.XXX.XXX.XXX # Replace with Zyxel fw WAN IP
rightauth=pubkey
rightid="fw.ddns.net" # Zyxel certificate CN, mine is the DDNS name I use
rightsubnet=192.168.XXX.0/24 # Zyxel fw LAN subnet
auto=add
eap_identity=YOUR_USERNAME
Important: Replace XXX.XXX.XXX.XXX with your Zyxel WAN IP, fw.ddns.net with your certificate CN, and 192.168.XXX.0/24 with your LAN subnet.
Step 5: Configure Secrets
Edit the secrets file:
sudo nano /etc/ipsec.secrets
Add your EAP-MS-CHAPv2 credentials:
"YOUR_USERNAME_HERE" : EAP "YOUR_PASSWORD_HERE"
Replace YOUR_PASSWORD_HERE with your Zyxel VPN password.
Step 6: Enable and Start strongSwan
sudo systemctl enable strongswan sudo systemctl restart strongswan
Step 7: Initiate the VPN Connection
Connect to the VPN:
sudo ipsec up zyxel
Check connection status:
sudo ipsec statusall
Successful output shows:
IKE_SA zyxel[1] establishedCHILD_SA zyxel{1} established with SPIs ...
Step 8: Verify Routing
Check the routing table:
ip route
Expected output for split-tunnel:
192.168.XXX.0/24 dev ipsec0 proto kernel scope linkdefault via 172.19.0.1 dev eth0
This confirms LAN traffic routes through VPN while Internet traffic uses the local network.
Step 9: Test Connectivity
Test internal access:
ping 192.168.XXX.254 # Zyxel firewall LAN IP ping 192.168.XXX.10 # Internal host
Test Internet access:
ping 8.8.8.8
Troubleshooting Tips
Issue | Solution |
|---|---|
Connection fails | Ensure |
DNS not working | Do not use |
Cannot ping internal hosts | Verify Zyxel VPN user has access to LAN subnet and ICMP is allowed |
Full-tunnel required | Zyxel must NAT VPN IPs to Internet; split-tunnel is recommended |
Summary
This configuration provides:
- ✅ EAP-MS-CHAPv2 authentication (required by Zyxel)
- ✅ Split-tunnel (LAN over VPN, Internet over local network)
- ✅ Functional routing and connectivity
Categories
- All Categories
- 441 Beta Program
- 2.9K Nebula
- 208 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.4K Security
- 529 USG FLEX H Series
- 333 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 51 Wireless Ideas
- 6.9K Consumer Product
- 292 Service & License
- 461 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.7K FAQ
- 34 Documents
- 86 About Community
- 99 Security Highlight