Connect USG40W to a VPN service?
All Replies
-
Dear Zyxel: please work on an OpenVPN update.. We home users bought your HW to have top security and cannot buy your yearly licenses.. The work has turned OpenXXX !0
-
warwickt said:
Hi MAD I'd like to know this myself.
I'm having a ghastly time trying to get a certificate based "machine authentication" or "L2TP certificate" based authentication working for USG appliances with Apple's MacOS 10.12+/13/14/15 and iOS 13.
The cause of the error is highly likely to be the implementation of the Certificate(s) used or generating from the CA.
- tried use from Certificates in USG and also
- generating from OPENSSL and lastly
- even LetEncrypt -
Be it known that the IkEV1 Phase 1/Phase2 works 100% reliably using a PRE-SHRAED key - something we don't want to use for mass use for a client.
I'm especially interested in IKEv2 however regardless of IKEV2 or IKEV1 I have this consistent errors:
Peer IP address mismatch
IKEv1 Error : No proposal chosen
In this example IkEv1 using MacOS L2TP Machine Authentication (and User / pwd)
Mar 13 21:00:57 myrouter src="218.XXX.XXX.60: 500" dst="XXX.XXX.108.99:500" msg="Send:[NOTIFY:NO_PROPOSAL_CHOSEN]" note="IKE_LOG" user="unknown" devID="1c740dfec31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg="IKEv1 SA [Responder] negotiation failed:" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Local IKE peer 218.XXX.XXX.60:500 ID (null)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Remote IKE peer XXX.XXX.108.99:500 ID (null)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Message: No proposal chosen (14)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Reason:" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Peer IP address mismatch" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" IKEv1 Error : No proposal chosen" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE" Mar 13 21:01:02 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg="Starting DNS query" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
dLike many, we've followed the Zyxel documentation to the letter as well as others but can not progress any further. than the above when trying to deploy Certificates for machine or user authentication.
The failure is clearly in the tunnel setup and not the user authentication.
Any clues from Zyxel or others would be most helpful .
Warwick
Hong Kong
0 -
Hi @ Olibert
Currently ZyWALL/USG doesn't support OpenVPN. You may use Zyxel Secuextender or IPSec Vpn client application to instead of it.
However, thanks for your suggestion and we will evaluate it in the future if it is beneficial.
0 -
Hi @MAD , not sure if you are still trying to solve this. I'm also stuck, but can probably help you move forward a little with IPSEC.The username to put in EAP is not the email address/pw you use to login to Nord. If you login, you can get your account username and password through the web interface by selecting nordvpn service on the left and then scrolling down to "service credentials".Also, if you upload the nordvpn.der certificate into your trusted certificates, it looks like the zywall uses it even though you can only select things in "my certificates". I have "default" selected as the cert and I believe its using the trusted one anyway.With the above 2 changes, I'm able to get a successful authentication message in phase 1 and complete SA. I'm now stuck at the end of phase 1 or beginning of phase 2, passing the cookie pair back and forth in a loop between the zywall and nord. Would help a lot if nord would just tell us the proper config settings like timeouts, ESP vs AH, etc but they seem to not want to share the config info one needs to connect to them. I will likely cancel nord if I cant make it work0
-
Lou-S,
how do I import the cert from my VPN provider on the USG60? I have tried and tried. I need it to import so I can select it for authentication via IKEV2 with NordVPN0 -
takoykrutoy,how do I import the cert from my VPN provider on the USG60? I have tried and tried. I need it to import so I can select it for authentication via IKEV2 with NordVPN
Click the Import button and select the NordVPN certificate.
But I don't think USG IKEv2 can working with NordVPN or other IKEv2 VPN server.
If I understood correctly,
USG IPSec is works as Network to Network VPN. And as a VPN server for VPN clients.
But not works like a VPN client.
A VPN client need to have these capabilities,
- built a virtual interface after VPN dial-up
- request an IP address/DNS server address, routing ... for the virtual interface
- Auto convert source IP address to the VPN interface IP for all traffic go into the VPN tunnel
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight