How to Import ZyWALL/USG Certificate for L2TP over IPsec in Windows 10

Zyxel_Charlie Posts: 1,034  Zyxel Employee
First Anniversary Friend Collector First Answer First Comment
edited June 2022 in VPN


This is an example of using the L2TP VPN and VPN client software included in Windows 10 operating systems. When the VPN tunnel is configured, users can securely access the network behind the ZyWALL/USG and allow traffic from L2TP clients to go to the Internet from a Windows 10 computer.

ZyWALL/USG L2TP VPN with Remote Windows 10 Client Example

All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: 4.13) and Windows 10 Pro (Version: 10.0.10240)


Step 1: Set Up the L2TP VPN Tunnel on the ZyWALL/USG 

1     In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the Window 10 clients. Click Next.

Quick Setup > VPN Setup Wizard > Welcome

2     Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters).

Quick Setup > VPN Setup Wizard > Welcome > VPN Settings

3     Assign the L2TP users’ IP address range from to for use in the L2TP VPN tunnel and select Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click OK.

Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings)

4     This screen provides a read-only summary of the VPN tunnel. Click Save.

Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary)

5     Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard.

Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed

6     Go to CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN, change Authentication method to be Certificate and select the certificate which ZyWALL/USG uses to identify itself to the Window 10 computer.

CONFIGURATION > VPN > VPN Gateway > WIZ_L2TP_VPN > Authentication > Certificate

7    Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example).

CONFIGURATION > VPN > L2TP VPN > Create new Object > User


8     If some of the traffic from the L2TP clients needs to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection.  Set the Source Address to be the L2TP address pool.  Set the Next-Hop Type to Trunk and select the appropriate WAN trunk.

CONFIGURATION > Network > Routing > Policy Route

Step 2: Export a Certificate from ZyWALL/USG and Import it to Windows 10 Operating System

1     Go to ZyWALL/USG CONFIGURATION > Object > Certificate, select the certificate (default in this example) and click Edit.

CONFIGURATION > Object > Certificate > default

2     Export default certificate from ZyWALL/USG with Private Key (zyx123 in this example)

CONFIGURATION > Object > Certificate > default > Edit > Export Certificate with Private Key

3     Save default certificate as *.p12 file to Windows 10 computer.

4     In Windows 10 Operating System, go to Start Menu > Search Box. Type mmc and press Enter.

Start Menu > Search Box > mmc

5     In the mmc console window, click File > Add/Remove Snap-in...

File > Add/Remove Snap-in...

6     In the Available snap-ins, select Certificates click Add. Then, click Finished.

Press OK to close the Snap-ins window.

Available snap-ins > Certificates > Add

7     In the mmc console window, go to Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import…

8     Click Next


9     Click Browse..., and locate the .p12 file you downloaded earlier. Then, click Next.      

10  Type zyx123 in the Password field and click Next.

11  Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish.

Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.



Step 3: Set Up the L2TP VPN Tunnel on the Windows 10   

1     To configure L2TP VPN in Windows 10 operating system, go to Start > Settings > Network & Internet > VPN > Add a VPN Connection and configure as follows.

VPN Provider set to Windows (built-in).

Configure Connection name for you to identify the VPN configuration.

Set Server name or address to be the ZyWALL/USG’s WAN IP address ( in this example).

Select VPN type to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).

Enter User name  and Password which the same as Allowed User created in ZyWALL/USG (L2TP_Remote_Users/zyx168 in this example).

2     Go to Control Panel > Network and Internet > Network Connections and right click Properties. Continue to Security > Advanced settings and select Use Certificate for authentication.

3     Go to Network & Internet Settings window, click Connect.


Test the L2TP over IPSec VPN Tunnel

1     Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, the Status connect icon is lit when the interface is connected.


2     Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up Time and the Inbound(Bytes)/Outbound(Bytes) traffic. Click Connectivity Check to verify the result of ICMP Connectivity.

Hub_HQ > MONITOR > VPN Monitor > IPSec > WIZ_L2TP_VPN

3     Go to ZyWALL/USG MONITOR > VPN Monitor > L2TP over IPSec and verify the Current L2TP Session.

MONITOR > VPN Monitor > L2TP over IPSec > L2TP_Remote_Users

4     Go to Window 10 operating system Start > Settings > Network & Internet > VPN and show Connected status.

Menu > Settings > VPN > ZyXEL_L2TP

What Can Go Wrong?

1     If you see [alert] log message such as below, please check ZyWALL/USG L2TP Allowed User or User/Group Settings. Windows 10 users must use the same Username and Password as configured in ZyWALL/USG to establish the L2TP VPN.

2     If you see [info] or [error] log message such as below, please check ZyWALL/USG Phase 1 Settings. Windows 10 operating system users must use the same Pre-Shared Key as configured in ZyWALL/USG to establish the IKE SA.

3     If you see that Phase 1 IKE SA process has completed but still get [info] log message as below, please check ZyWALL/USG Phase 2 Settings. ZyWALL/USG unit must set correct Local Policy to establish the IKE SA.

4     Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.


5     If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel.


6     Make sure the ZyWALL/USG units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.


7     Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly.