VPN solution with USG20-VPN and Fritzbox
Hi,
I am trying to establish a VPN solution in my network. I have a Fritzbox 7590 router and a USG20-VPN. The Fritzbox network is 192.168.10.0 an the one from the USG is 192.168.1.0. I want to enable a VPN connection with the possibility to connect via RDP to a specific client. In the last days I tested two sceanrios:
The first was with the help of the instructions from Zyxel I was able to establish the VPN connection to the USG after setting up the port forwarding in the Fritzbox.
https://mysupport.zyxel.com/hc/en-us/articles/360005744000--ZyWALL-USG-How-to-set-up-a-Client-to-Site-VPN-Configuration-Payload-DHCP-connection-using-IKEv2
But I always read that for VPN connections the encyption AES256 with SHA256 should be the minimum to be secure. While the instructions are using 3DES and AES128 I tried to change the encryption to AES256/SHA256 (I am aware regarding the performance :-)). Unfortunately with AES256 there is no way for me to get it running on a Windows client. With my iPhone it is working well, but also Windows is the goal. On Windows I am using the ZyWall IPSec VPN client as I have read that Windows does not support the needed DH groups when using AES256. Does anybody have already setup the IPSec VPN with AES256/SHA256 on windows?
The second sceanrio I tested was that my Fritzbox is the VPN server with WireGuard VPN setup. This worked to connect to the Fritzbox. I then set a route into the USG network to connect to the client. But this step only did not work I also had to setup a policy route at the USG to allow RDP from WAN (the USG WAN port is connected with the Fritzbox). The rule looks like this:
Somehow I have the feeling that this is not a secure solution, since I am giving all RDP requests from the WAN access to the LAN, isn't it?
Can someone perhaps give me a kind of best pratise approach for my desired goal? I'm not much of a network specialist, but I'm slowly getting more into the subject. Any help would be greatly appreciated.
Accepted Solution
-
So after some testing you can increase the windows encryption using PowerShell and the help of this:
the follow command now lets you have
Phase 1 AES256/SHA256 DH2
Phase 2 AES256/SHA256 PFS none
Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN name" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup none -DHGroup Group2 -PassThru -Force
2
All Replies
-
Hi @kawer83 ,
It's better to post the topology. So that can make it easy to give you comments of the settings base on best practice.
Is it like this ?
VPN client — Internet — Fritzbox — USG — RDP target
First scenario:
VPN client(IPSec client) → USG (IPSec VPN server) → RDP target
Second scenario:
VPN client(WireGuard client) →Fritzbox(WireGaurd Server)→USG→RDP target
0 -
Hi @zyman2008 ,
thanks for your answer. Yes the topolgy is as you described for both scenarios. For the first scenario:
VPN client(IPSec client) → USG (IPSec VPN server) → RDP target
I would like to get it working with AES256/SHA256 but was not successful with a Windows device (and Zyxel IPSec VPN client installed).
So the second scenario with VPN client(WireGuard client) →Fritzbox(WireGaurd Server)→USG→RDP target was my favorite but I am not sure if this is really secure.
Because of this I wanted to ask if anybody has experience with a good VPN solution when using the kind of hardware (a USG bheind a FritzBox).
0 -
I'd use IPSec only for Network-to-network connection, between USG20-VPN and Fritz!box.
Otherwise, I'd use L2TP/IPsec connection from the client device (with windows it's a bit trickier) to USG20-VPN.0 -
May I know What the monitor log shows when the Windows ZyWall IPSec VPN client fails to build the connection? it may give us a clue.
And how did you configure the VPN client? Could you try "get from server" to get the VPN client configure and try again?
Please refer to this article about the "get from server" feature.
0 -
You should talk to Microsoft…
0 -
For the windows client L2TP/IPsec last I checked was
Phase 1 3DES/SHA1 DH2
Phase 2 AES256/SHA1 PFS none
0 -
So after some testing you can increase the windows encryption using PowerShell and the help of this:
the follow command now lets you have
Phase 1 AES256/SHA256 DH2
Phase 2 AES256/SHA256 PFS none
Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN name" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup none -DHGroup Group2 -PassThru -Force
2 -
Its for L2TP/IPsec yes
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight