VPN Linux StrongSwan-USG60

GPX
GPX Posts: 2
Friend Collector
edited May 2021 in Security
Hello,

I am trying to connect a desktop Ubuntu 20.04 to a remote USG60 with a public IP address. I use StrongSwan to try to establish an IPSec/IKEv2 connection to the USG60.

The connection seems to work, but it is disconnected right after. Would anyone know what is happening?

In attachement I put the log from the Linux desktop and the USG60 (log IKE). I also attach the configuration of StrongSwan and the VPN part of the USG60.

Thank you in advance.

Accepted Solution

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi @GPX,
    Zyxel firewall IKEv2 for VPN client support authentication with certificate + EAP-MSCHAPv2 only.

    You can follow these steps to configure,
    1. Create a self-sign certificate for IKEv2 rule.
    (1)On GUI, go to Object > Certificate > My Certificates, click add.
    (2)In subject, you can choice IP address and type-in your wan IP or Domain name type-in the dns name of your wan IP. And in Extended Key Usage select all type.


    2. Download certificate to your Ubuntu client.
    On My Certificates page, select the certificate. Then click Download. Don't type-in password and click OK. You'll get a xxxx.crt file.

    3. Configure VPN gateway rule
    (1)On VPN gateway rule, authentication select "certificate" instead of PSK. And select the certificate created in step 1.

    (2) In the bottom of page, Enable Extended Authentication Protocol(EAP) and choice server mode.


    4. Configure VPN connection rule
    (1)On VPN connection rule, Enable Configuration Payload.
    Select an IP address range for VPN clients. (You need to create in Object > Address first)
    Also, give DNS server address for VPN client


    5. Go to Ubuntu client, disable not-support EAP method.
    (1)Edit /etc/strongswan.conf, add charon-nm settings to disable EAP-PEAP, EAP-MD5, EAP-GTC.
    charon {
            load_modular = yes
            plugins {
                    include strongswan.d/charon/*.conf
            }
    }
    charon-nm {
               plugins {
                 eap-peap {
                   load = no
                 }
                 eap-md5 {
                   load = no
                 }
                 eap-gtc {
                   load = no
                 }
               }
    }
    include strongswan.d/*.conf

    6. Configure VPN settings in network manager
    (1) In certificate, select the downloaded certificate file. And Authentication select EAP.



All Replies

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Hi @GPX,
    Zyxel firewall IKEv2 for VPN client support authentication with certificate + EAP-MSCHAPv2 only.

    You can follow these steps to configure,
    1. Create a self-sign certificate for IKEv2 rule.
    (1)On GUI, go to Object > Certificate > My Certificates, click add.
    (2)In subject, you can choice IP address and type-in your wan IP or Domain name type-in the dns name of your wan IP. And in Extended Key Usage select all type.


    2. Download certificate to your Ubuntu client.
    On My Certificates page, select the certificate. Then click Download. Don't type-in password and click OK. You'll get a xxxx.crt file.

    3. Configure VPN gateway rule
    (1)On VPN gateway rule, authentication select "certificate" instead of PSK. And select the certificate created in step 1.

    (2) In the bottom of page, Enable Extended Authentication Protocol(EAP) and choice server mode.


    4. Configure VPN connection rule
    (1)On VPN connection rule, Enable Configuration Payload.
    Select an IP address range for VPN clients. (You need to create in Object > Address first)
    Also, give DNS server address for VPN client


    5. Go to Ubuntu client, disable not-support EAP method.
    (1)Edit /etc/strongswan.conf, add charon-nm settings to disable EAP-PEAP, EAP-MD5, EAP-GTC.
    charon {
            load_modular = yes
            plugins {
                    include strongswan.d/charon/*.conf
            }
    }
    charon-nm {
               plugins {
                 eap-peap {
                   load = no
                 }
                 eap-md5 {
                   load = no
                 }
                 eap-gtc {
                   load = no
                 }
               }
    }
    include strongswan.d/*.conf

    6. Configure VPN settings in network manager
    (1) In certificate, select the downloaded certificate file. And Authentication select EAP.



  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,028  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2021
    Hi @GPX

    Here are the guides on how to establish a VPN connection with Linux StrongSwan.  
    If you would like to build up tunnel with IKEv1, you can follow the guide to complete the settings.

  • GPX
    GPX Posts: 2
    Friend Collector

    The solution proposed by lan31 worked for me, thank you very much! We spent a lot of time trying to figure it out, finally your answer solved our problem =)

    Zyxel_Jerry, thanks for the documentation, however StrongSwan proposes only IKEv2 (at least in the GUI with the version I have installed).

    Thanks again for the responses

Security Highlight