Windows 10/11 VPN native client cannot connect to USG Flex 700H Remote Access VPN behind NAT router

NoCoZFR
NoCoZFR Posts: 3  Freshman Member
First Comment Fifth Anniversary

Hi all,

We can't manage to connect to our USG Flex 700H remote Access VPN using Windows 10/11 native client using Zyxel generated configuration files. The strange thing is that it works on android !

You'll find below all the setup and tests we've made, hope this could help 🙏

Here is our Setup :

We have an USG Flex 700H which is located behind our ISP router (Freebox pro). The ISP router can't be setup in bridge mode (the only solution is to create a DMZ with all ports redirected to the USG Flex 700H.

The USG Flex 700H is connected to the ISP router using GE2 port with 192.168.124.10 as its WAN IP (LAN network is 192.168.44.x). For understanding purposes let's say our public IP address is 1.2.3.4

We want to use the native Windows VPN client to connect to the VPN (and therefore are using the installation script generated by the USG Flex 700h). When doing this the script contains the WAN IP adress as the server IP adress (192.168.124.10), so the conf file looks like as follows :

set Name="RemoteAccess_192.168.124.10"
set ServerAddress="192.168.124.10"
set TunnelType="IKEv2"
set AuthenticationMethod="EAP"
set EncryptionLevel="Required"
set UseWinlogonCredential=$False
set RememberCredential=$False
set SplitTunneling=$False
set IKEEnc="AES128"
set IKEAuth="SHA256"
set IKEKey="Group2,Group14"
set ESPEnc="AES128"
set ESPAuth="SHA256128"
set ESPPfs="None"

So I modified it this way before executing :

set Name="TEST14"
set ServerAddress="1.2.3.4"
set TunnelType="IKEv2"
set AuthenticationMethod="EAP"
set EncryptionLevel="Required"
set UseWinlogonCredential=$False
set RememberCredential=$False
set SplitTunneling=$False
set IKEEnc="AES128"
set IKEAuth="SHA256"
set IKEKey="Group2,Group14"
set ESPEnc="AES128"
set ESPAuth="SHA256128"
set ESPPfs="None"

Note that the generated/provided certificate is delivered to "192.168.124.10" (not my public IP address then).

Once the script has been executed the TEST14 VPN connection appears in my VPN Connections. When I launch it, it asks for my users credentials and then I have this error 🤔 (IKE Credentials are unacceptable)

The thing is that this issue is related to Windows VPN client ONLY because I have no issue on my Android phone using the generated Android StrongSwan configuration file (it works perfectly).

So I guess the problem is purely related to Windows VPN Client configuration. There might be something I'm missing somewhere but I don't know what and where to look… so any help would really be appreciated.

Please find below the logs on the 700H when using the Windows client followed by the remote access VPN Setup :

Remote Access VPN Setup :

  • Incoming Interface : ge2 (WAN)
  • Certificate for VPN validation : auto
  • Client will use VPN to access : Internet and local networks (full tunnel) + Auto SNAT Enabled
  • Client Network :
    • IP Adress Pool : 192.168.50.0/24
    • First DNS Server : Zywall
  • Authentication :
    • Primary Server : local
    • User : vpnusers (group that included the user we created for testing purposes)

In advanced Settings :

  • Phase 1 :
    • SA Life Time : 86400
    • Proposal :
      • Encryption AES128 Authentication SHA256
      • DH Groups : DH2, DH14, DH21
  • Phase 2 :
    • SA Lifetime : 28800
    • Proposal :
      • Encryption AES128 Authentication : SHA256
      • Perfec Forward Secrecy : None

Many thanks in advance for all the Help you could provide us 😉

Best Answers

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,230  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Answer ✓

    Hi @NoCoZFR

    Additionally, since your USG Flex 700H is behind NAT, the USG Flex 700H's ge2 interface will get a private IP, and the CN domain name of the generated certificate will also be the private IP.

    Therefore, please follow below steps to set up the remote VPN:

    • 1. Navigate to System > Certificate to generate a certificate with the WAN IP (e.g., 1.2.3.4). Set the key type to RSA-SHA256, Key Length to 2048, and Life Length to 5 Years. Enable Server Authentication, Client Authentication, and IKE Intermediate.

    • 2. Manually select the self-signed certificate for the Remote VPN certificate.

    • 3. Once you download the Windows script file, edit the server address to the WAN IP 1.2.3.4.
    • 4. Doble-click the .bat file to install the script file
    • Thanks.


    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community

  • NoCoZFR
    NoCoZFR Posts: 3  Freshman Member
    First Comment Fifth Anniversary
    Answer ✓

    Thanks for your help, the issue was with the certificate pointing to the wrong IP. So I generated a new certificate with domain name and it finally worked. Thanks a lot !

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,230  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hello @NoCoZFR

    To exclude any script installation issues, simply double-click the .bat file after downloading it to your Windows PC. This will automatically install it on your PC. Then, attempt to establish the remote VPN connection to verify if it works.

    If you still have a problem, please let us know. Thanks.


    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,230  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Answer ✓

    Hi @NoCoZFR

    Additionally, since your USG Flex 700H is behind NAT, the USG Flex 700H's ge2 interface will get a private IP, and the CN domain name of the generated certificate will also be the private IP.

    Therefore, please follow below steps to set up the remote VPN:

    • 1. Navigate to System > Certificate to generate a certificate with the WAN IP (e.g., 1.2.3.4). Set the key type to RSA-SHA256, Key Length to 2048, and Life Length to 5 Years. Enable Server Authentication, Client Authentication, and IKE Intermediate.

    • 2. Manually select the self-signed certificate for the Remote VPN certificate.

    • 3. Once you download the Windows script file, edit the server address to the WAN IP 1.2.3.4.
    • 4. Doble-click the .bat file to install the script file
    • Thanks.


    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 28

    You can use a DDNS with certificate if your WAN IP changes but you have to install the Intermediate certification authorities after you run the .bat

  • NoCoZFR
    NoCoZFR Posts: 3  Freshman Member
    First Comment Fifth Anniversary
    Answer ✓

    Thanks for your help, the issue was with the certificate pointing to the wrong IP. So I generated a new certificate with domain name and it finally worked. Thanks a lot !

  • JoostGroot
    JoostGroot Posts: 11  Freshman Member
    First Comment Second Anniversary

    We have the same issue, but not behind NAT. Just public IP. VPN gives the same message:

    The public IP is the same as the certificate. The certificate is in trusted cert store. VPN is installed with the Batch file.

    Wish the L2TP vpn would still be available or the Flex series should just be Nebula managed.

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited November 10

    And it is a public IP you got when you go to whats my IP and it matches?

    Try with a simple user name and password for the VPN as a test

  • ticsystems
    ticsystems Posts: 69  ZCNE Certified
    First Comment Friend Collector Nebula Gratitude Fifth Anniversary

    Check that the certificate is correct.
    Every time you make a change in the configuration, a new certificate is created and you have to download the script again.
    The best thing you can do is generate the certificate manually and force it in the configuration.