This guide will assist in the configuration of the IPSecuritas VPN Client (version 4.6.1) for VPN connectivity with Zyxel's Next-Gen ZyWALL USG routers.
Overview
A VPN (virtual private network) provides a secure communication between sites without the expense of leased lines. VPNs are used to transport traffic over the internet of any insecure network that uses TCP/IP communications. A remote access VPN (client-to-site) allows employees who are traveling or teleworkers, secure access to company network resources. There multiple types of VPN protocols/technologies, that can be used to establish a secure link to company network, L2TP, PPTP, SSL, OpenVPN, etc.. This guide will reference the IPSec protocol to establish a secure VPN tunnel between external hosts (users connected to the internet outside the company network structure) and the ZyWALL router. Third party IPSec software is required to establish the VPN connection as current operating systems lack a built-in IPSec client. This walkthrough will help configure the VPN setup on the IPSecuritas VPN client (version 4.6.1).
Supported Devices
ZyWALL 110
ZyWALL 310
ZyWALL 1100
USG40/40W/40HE
USG60/60W
USG110
USG210
USG310
USG1100
USG1900
USG20-VPN/20W-VPN
USG2200-VPN
ZyWALL VPN Setup
To begin the configuration of the VPN policy on the ZyWALL/USG router, please open a web browser and access the Zyxel routers WebGUI. Once in the web configuration page go to menu, Configuration → VPN → IPSec VPN to begin the VPN policy/rule setup.
VPN Gateway (Phase 1):
In the IPSec VPN menu click the "VPN Gateway" tab to insert a Phase 1 VPN policy configuration. Click the "Add" button to create a new rule. On the top left of the window click the "Show Advanced Settings" button to view all the option available in this menu.
- Check the box to enable the VPN rule
- VPN Gateway Name – Please provide a name for the rule
- IKE Version – Options are IKEv1 and IKEv2, select the appropriate IKE version you wish to use. This will depend on your VPN clients compatibility, not all clients support IKEv2. Verify support with the software manufacturer before creating the rule on the Zyxel router.
- My Address – Select the WAN interface you wish to use to establish the VPN connection under the "Interface" dropdown field or select "Domain Name/IPv4" to manually enter a domain name/DDNS name or IP address.
- Peer Gateway Address – Select the "Dynamic Address" bullet to allow VPN connection from any public IP. This is required to be able to establish a VPN connection between VPN software and the VPN router.
- Authentication – Select "Pre-Shared Key" and enter a password for the VPN tunnel. You can also use a certificate to establish the VPN connection. The VPN software client must support certificate based authentication policy. If using certificate to establish connection do not forget to export the cert from the Zyxel router and import into the VPN software client.
- Phase 1 Setting – Choose the desired Negotiation Mode, Encryption, Authentication and Key Group algorithms you wish to use (Negotiation Mode option are Main and Aggressive) (Encryption options are DES, 3DES, AES128, AES192, AES256) (Authentication options are MD5, SHA1, SHA256, SHA512) (Diffie-Hellman key group options are DH1, DH2, DH5)
- Click "OK" to save the settings.
Note: The caution symbol to the right will appear on areas where input is required or if there is a mistake with the entry, such as illegal/unsupported characters.
VPN Connection (Phase 2):
Click on the "VPN Connection" tab to create the Phase 2 portion of the VPN tunnel. Click the "Add" button to insert a new rule. On the top left of the window click the "Show Advance Setting" button to view all available options in this menu.
- Check the box to enable the VPN rule
- Connection Name – Please provide a name for the rule
- Set the VPN Gateway application scenario to use "Remote Access (Server Role)"
- On the application scenario set the VPN Gateway dropdown to use the Phase 1 policy that was created on the previous step. (RoadWarrior for this example)
- Policy – Set the Local Policy to use the "LAN1_SUBNET" address object, this will give the VPN user access over all devices connected to LAN1
- Phase 2 Setting – Choose the desired Encapsulation, Encryption and Authentication algorithms you wish to use (Encapsulation option are ESP and AH) (Encryption options are DES, 3DES, AES128, AES192, AES256, NULL) (Authentication options are MD5, SHA1, SHA256, SHA512)
- Perfect Forward Secrecy (PFS) – Is an added level of encryption, it is not necessary to enable it, but, if you wish to use the added encryption level the options are None, DH1, DH2 and/or DH5
- Related Settings – make sure the Zone is set for "IPSec_VPN"
- Click "OK" to save the settings.
IPSecuritas VPN Client Setup
The IPSecuritas VPN Client is a free VPN application for Mac OS X computers. You can download a copy of the client from here. Because the client is not manufactured or engineered by Zyxel we do not offer technical support for the client. Any issues related to the software need to be brought to the attentions of Lobotomo Software.
To configure the VPN client based on the ZyWALL setup example above, please open the program which is located in your Mac's Applications folder. On the applications toolbar click on the "Connections" menu and select "Edit Connections". On the connection editor window click on the "+" sign to add a VPN policy.
On the clients "General" tab make the following changes to the setup:
- Remote IPSec Device – Type in the domain name/DDNS hostname or public IP address of the VPN router.
- Local Side – Leave this area blank (as is).
- Remote Side – Set the "Endpoint Mode" to Network and enter in the Zyxel routers LAN1_SUBNET IP scheme.
Click the "Phase 1" tab and make the following changes to the setup:
- Lifetime – Match this setting with the Zyxel routers SA Lifetime setup (86400 seconds by default).
- DH Group – Set this to 1024 (2), also known as DH2.
- Encryption – Set this to 3DES (based on Zyxel router VPN setup).
- Authentication – Set this to SHA-1 (based on Zyxel router VPN setup).
- Exchange Mode – Set this to Main (based on Zyxel router VPN setup).
- Proposal Check – Leave the option as it is (Obey by default)
- Nonce Size – Leave the option as it is (16 by default)
Click the "Phase 2" tab and make the following changes to the setup:
- Lifetime – Match this setting with the Zyxel routers SA Lifetime setup (86400 seconds by default).
- PFS Group – Set this to None (based on Zyxel router VPN setup).
- Encryption – Set this to 3DES (based on Zyxel router VPN setup).
- Authentication – Set this to SHA-1 (based on Zyxel router VPN setup).
Click the "ID" tab and make the following changes to the setup:
- Local Identifier – Leave the option as is (Address by default).
- Remote Identifier – Leave the option as is (Address by default).
- Authentication Method – Set this option to use "Preshared Key".
- Preshared Key – Type in the same key used under the Zyxel routers Pre-Shared Key field.
Click the "DNS" tab and make the following changes to the setup:
- No changes need to be made here. DNS server entries should only be added if web traffic will flow through the VPN tunnel as well. If the VPN is only used to access network resources on the other end, DNS is not needed.
Click the "Options" tab and make the following changes to the setup:
- IPSec DOI – This option should be checked.
- SIT_IDENTITY_ONLY – This option should be checked.
- Verify Identifier – This option should be unchecked.
- Initial Contact – This option should be checked.
- Disable collision check – This option should be checked.
- Support Proxy – This option should be unchecked.
- Request Certificate – This option should be unchecked.
- Verify Certificate – This option should be unchecked, we are using Pre-Shared Keys instead of certificate authentication.
- Send Certificate – This option should be unchecked.
- Unique SAs – This option should be checked.
- IKE Fragmentation – This option should be unchecked.
- NAT-T – This option is disabled. NAT-T should only be used if the VPN router is behind a NAT with no VPN passthrough support.
- Enable Connection Check – This option allows the client to send an ICMP/PING packet to test the connection. If the option is enabled a reliable host should be used to run the ICMP/PING test, otherwise the connection may be unstable.
Now that the VPN policy has been created on the IPSecuritas software you can dial the VPN connection by selecting the rule you wish to connect and pressing the "Start" button. This will begin the VPN connection process.
Once the tunnel is established open a terminal window and attempt to ping a device across the VPN tunnel to verify traffic is passing through.
Note: Make sure the device you are pinging is set to respond to ICMP/PING requests.
Comments
0 comments
Please sign in to leave a comment.