VPN solution with USG20-VPN and Fritzbox

kawer83
kawer83 Posts: 6
First Comment Friend Collector

Hi,

I am trying to establish a VPN solution in my network. I have a Fritzbox 7590 router and a USG20-VPN. The Fritzbox network is 192.168.10.0 an the one from the USG is 192.168.1.0. I want to enable a VPN connection with the possibility to connect via RDP to a specific client. In the last days I tested two sceanrios:

The first was with the help of the instructions from Zyxel I was able to establish the VPN connection to the USG after setting up the port forwarding in the Fritzbox.

https://mysupport.zyxel.com/hc/en-us/articles/360005744000--ZyWALL-USG-How-to-set-up-a-Client-to-Site-VPN-Configuration-Payload-DHCP-connection-using-IKEv2

But I always read that for VPN connections the encyption AES256 with SHA256 should be the minimum to be secure. While the instructions are using 3DES and AES128 I tried to change the encryption to AES256/SHA256 (I am aware regarding the performance :-)). Unfortunately with AES256 there is no way for me to get it running on a Windows client. With my iPhone it is working well, but also Windows is the goal. On Windows I am using the ZyWall IPSec VPN client as I have read that Windows does not support the needed DH groups when using AES256. Does anybody have already setup the IPSec VPN with AES256/SHA256 on windows?

The second sceanrio I tested was that my Fritzbox is the VPN server with WireGuard VPN setup. This worked to connect to the Fritzbox. I then set a route into the USG network to connect to the client. But this step only did not work I also had to setup a policy route at the USG to allow RDP from WAN (the USG WAN port is connected with the Fritzbox). The rule looks like this:

Somehow I have the feeling that this is not a secure solution, since I am giving all RDP requests from the WAN access to the LAN, isn't it?

Can someone perhaps give me a kind of best pratise approach for my desired goal? I'm not much of a network specialist, but I'm slowly getting more into the subject. Any help would be greatly appreciated.

Accepted Solution

«1

All Replies

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @kawer83 ,

    It's better to post the topology. So that can make it easy to give you comments of the settings base on best practice.

    Is it like this ?

    VPN client — Internet — Fritzbox — USG — RDP target

    First scenario:

    VPN client(IPSec client) → USG (IPSec VPN server) → RDP target

    Second scenario:

    VPN client(WireGuard client) →Fritzbox(WireGaurd Server)→USG→RDP target

  • kawer83
    kawer83 Posts: 6
    First Comment Friend Collector

    Hi @zyman2008 ,

    thanks for your answer. Yes the topolgy is as you described for both scenarios. For the first scenario:

    VPN client(IPSec client) → USG (IPSec VPN server) → RDP target

    I would like to get it working with AES256/SHA256 but was not successful with a Windows device (and Zyxel IPSec VPN client installed).

    So the second scenario with VPN client(WireGuard client) →Fritzbox(WireGaurd Server)→USG→RDP target was my favorite but I am not sure if this is really secure.

    Because of this I wanted to ask if anybody has experience with a good VPN solution when using the kind of hardware (a USG bheind a FritzBox).

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    I'd use IPSec only for Network-to-network connection, between USG20-VPN and Fritz!box.
    Otherwise, I'd use L2TP/IPsec connection from the client device (with windows it's a bit trickier) to USG20-VPN.

  • kawer83
    kawer83 Posts: 6
    First Comment Friend Collector

    Thank you @mMontana for your answer. Which encrpytion do you use for the L2TP/IPsec connection? My goal is to use AES256/SHA256, but I was not able to get it working in Windows.

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    May I know What the monitor log shows when the Windows ZyWall IPSec VPN client fails to build the connection? it may give us a clue.

    And how did you configure the VPN client? Could you try "get from server" to get the VPN client configure and try again?

    Please refer to this article about the "get from server" feature.

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 5

    For the windows client L2TP/IPsec last I checked was

    Phase 1 3DES/SHA1 DH2

    Phase 2 AES256/SHA1 PFS none

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓

    So after some testing you can increase the windows encryption using PowerShell and the help of this:

    https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2022-ps

    the follow command now lets you have

    Phase 1 AES256/SHA256 DH2

    Phase 2 AES256/SHA256 PFS none

    Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN name" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup none -DHGroup Group2 -PassThru -Force
    

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited January 5

    @PeterUK thanks for sharing.
    May I assume that similar commands are availble for L2TP/IPsec on Windows?

    I also suggest zyxel to add this commands and references to Powershell into the specific post/thread for L2TP connections

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Its for L2TP/IPsec yes

Security Highlight