Connect USG40W to a VPN service?

JJP
JJP Posts: 3
First Anniversary First Comment
edited April 2021 in Security
Dear reader,
About setting up a USG40W to connect to an external VPN service (like NordVPN, ExpressVPN, Avira, etc.).
Q1: Can this be done?
Q2: How can this be done? Any link to a tutorial, description would be nice.
Thanks for the effort.

Best Answers

«1

All Replies

  • JJP
    JJP Posts: 3
    First Anniversary First Comment
    Thank you for the response. This leads top 1 additional question: NordVPN informs me that things might work, under the condition stated: "In order to setup VPN client connection on your router, it [USG40W] has to support at least one of these connection types: PPTP, L2TP or OpenVPN. Furthermore, it [USG40W] has to support it as a "Client" (as opposed to a "Server") to allow you to connect it to NordVPN servers."
    I know 
    USG40W supports PPTP, L2TP, leaves the question, can USG40W be setup as client?
  • MAD
    MAD Posts: 8
    First Anniversary Friend Collector First Comment

    Hi I have the same question i have a USG 60W and thinking of a Nord VPN account.

    Is this possible Anyone done this with success ??

  • JJP
    JJP Posts: 3
    First Anniversary First Comment

    Been quite busy, not attempted to configure this. Still on the agenda to try.

    It is like this: “Life is what happens to you, while you're busy making other plans.” (John Lennon)

  • MAD
    MAD Posts: 8
    First Anniversary Friend Collector First Comment

    NordVpn does not run PPTP / L2TP anymore as they tell me it's out of date and not secure. But they provide Ipsec / IKEv2. but i need to have a root sertificate on the router I'v tried to figure out how to get the certificate to the router, and tried to configure the client on my USG60 but with no success. The user name and pwd is in algorithm MSCHAPv2 is this one not supported on usg and can i upload a sertificate and add it to my cert list ??

  • MAD
    MAD Posts: 8
    First Anniversary Friend Collector First Comment

    Well a bit closer. under IPsec VPN I can add a connection and enable Extended Authentication Protocol, there under the client part I think I have mschapv2 but when I enter my user information email adress It wont accept the @ and still Dont know where to put my cert anyone who knows ?? Im trying to learn this the hard way.. I tried to import it to TRUSTED certs, but from there i cant access is from the dialog when setting up VPN, and when im trying to import it to MYcerts i get an error. errno: -17010 errmsg: PKI certificate request does not exist what am i doing wrong ??

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi MAD I'd like to know this myself.

    I'm having a ghastly time trying to get a certificate based "machine authentication" or "L2TP certificate" based authentication working for USG appliances with  Apple's MacOS 10.12+/13/14/15 and  iOS 13.

    The cause of the error is highly likely to be the implementation of the Certificate(s) used or generating from the CA.

    • tried use from Certificates in USG and also
    • generating from OPENSSL and lastly
    • even LetEncrypt -

    Be it known that the IkEV1 Phase 1/Phase2 works 100% reliably using a PRE-SHRAED key - something we don't want to use for mass use for a client.

    I'm especially interested in IKEv2 however regardless of IKEV2 or IKEV1 I have this consistent errors:

    Peer IP address mismatch

    IKEv1 Error : No proposal chosen

    In this example IkEv1 using  MacOS L2TP Machine Authentication (and User / pwd)

    Mar 13 21:00:57 myrouter src="218.XXX.XXX.60: 500" dst="XXX.XXX.108.99:500" msg="Send:[NOTIFY:NO_PROPOSAL_CHOSEN]" note="IKE_LOG" user="unknown" devID="1c740dfec31c" cat="IKE"
    Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg="IKEv1 SA [Responder] negotiation failed:" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
    Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Local IKE peer 218.XXX.XXX.60:500 ID (null)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
    Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Remote IKE peer XXX.XXX.108.99:500 ID (null)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
    Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Message: No proposal chosen (14)" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
    Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" Reason:" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
    Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg="  Peer IP address mismatch" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
    Mar 13 21:00:57 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg=" IKEv1 Error : No proposal chosen" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
    Mar 13 21:01:02 myrouter src="0.0.0.0: 0" dst="0.0.0.0:0" msg="Starting DNS query" note="IKE_LOG" user="unknown" devID="1c74ffffff31c" cat="IKE"
    

    dLike many, we've followed the Zyxel documentation to the letter as well as others but can not progress any further. than the above when trying to deploy Certificates for machine or user authentication.

    The failure is clearly in the tunnel setup and not the user authentication.

    Any clues from Zyxel or others would be most helpful .

    Warwick

    Hong Kong

Security Highlight