How to Import ZyWALL/USG Certificate for L2TP over IPsec in Windows 10
Zyxel Employee
SCENARIO DESCRIPTION:
This is an example of using the L2TP VPN and VPN client software included in Windows 10 operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from a Windows 10 computer.
ZyWALL/USG L2TP VPN with Remote Windows 10 Client Example
Note:
All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: 4.13) and Windows 10 Pro (Version: 10.0.10240)
SETUP/STEP BY STEP PROCEDURE:
Step 1: Set Up the L2TP VPN Tunnel on the ZyWALL/USG
1 In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the Window 10 clients. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
2 Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters).
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings
3 Assign the L2TP users’ IP address range from 192.168.100.10 to 192.168.100.20 for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click OK.
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings)
4 This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary)
5 Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed
6 Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Window 10 computer.
CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN > Authentication > Certificate
7 Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example).
CONFIGURATION > VPN > L2TP VPN > Create new Object > User
8 If some of the traffic from the L2TP clients needs to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection. Set the Source Address to be the L2TP address pool. Set the Next-Hop Type to Trunk and select the appropriate WAN trunk.
CONFIGURATION > Network > Routing > Policy Route
Step 2: Export a Certificate from ZyWALL/USG and Import it to Windows 10 Operating System
1 Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit.
CONFIGURATION > Object > Certificate > default
2 Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example)
CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key
3 Save default certificate as *.p12 file to Windows 10 computer.
4 In Windows 10 Operating System, go to Start Menu > Search Box. Type mmc and press Enter.
Start Menu > Search Box > mmc
5 In the mmc console window, click File > Add/Remove Snap-in...
File > Add/Remove Snap-in...
6 In the Available snap-ins, select Certificates click Add. Then, click Finished.
Press OK to close the Snap-ins window.
Available snap-ins > Certificates > Add
7 In the mmc console window, go to Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import…
8 Click Next
.
9 Click Browse..., and locate the .p12 file you downloaded earlier. Then, click Next.
10 Type zyx123 in the Password field and click Next.
11 Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish.
Note:
Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Step 3: Set Up the L2TP VPN Tunnel on the Windows 10
1 To configure L2TP VPN in Windows 10 operating system, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows.
VPN Provider set to Windows (built-in).
Configure Connection name for you to identify the VPN configuration.
Set Server name or address to be the ZyWALL/USG’s WAN IP address (172.124.163.150 in this example).
Select VPN type to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).
Enter User name and Password which the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users/zyx168 in this example).
2 Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication.
3 Go to Network & Internet Settings window, click Connect.
VERIFICATION:
Test the L2TP over IPSec VPN Tunnel
1 Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.
CONFIGURATION > VPN > IPSec VPN > VPN Connection
2 Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity.
Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN
3 Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session.
MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users
4 Go to Window 10 operating system Start > Settings > Network & Internet > VPN and show Connected status.
Menu > Settings > VPN > ZyXEL_L2TP
What Can Go Wrong?
1 If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN.
2 If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. Windows 10 operating system users must use the same Pre-Shared Key as configured in ZyWALL/USG to establish the IKE SA.
3 If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. ZyWALL/USG unit must set correct Local Policy to establish the IKE SA.
4 Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.
5 If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel.
6 Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
7 Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly.
Categories
- All Categories
- 388 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 913 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 330 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 871 Nebula FAQ
- 411 Security FAQ
- 220 Switch FAQ
- 193 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 61 Security Highlight