Using IKEv1 with Zyxel USG Flex Firewalls

While IKEv1 VPN support is still available on older Zyxel firewall models, it's recommended that for new connections, users opt for the more modern IKEv2 protocol for better performance and security.

Your next steps:

• Check you have the latest firmware version installed for your Zyxel firewall
• Use our IKEv2 configuration guide for Zyxel to set up secure remote access to your device

Need to use IKEv1? Refer to our legacy guide below for further instructions.

About Zyxel USG Flex Firewalls

Zyxel USG Flex series are sophisticated firewall solutions, offering models for small business and home office users, all the way up to larger enterprises. With support for both IKEv1 and IKEv2 VPN, as well as SSL VPN, users can easily set up secure remote access to their home or company network.

On this page, we take you through all you need to know about setting up an IPsec IKEv1 VPN tunnel on your Zyxel USG Flex firewall and how to get connected on Mac, iPhone or iPad.

Step One: Add VPN users to your Zyxel USG Flex firewall

To get started, add new user profiles for the team members who will need access to the new IKEv1 VPN tunnel.

Go to O​bject​ > ​User/Group ​and switch to the U​ser t​ab. Then, click the A​dd​ button:

• User Name​: Enter a username for the new user.
• User Type:​ Choose ​user​ from the pop-up
• Password:​ Enter a secure password for this new user

Important: Make sure to make a note of the username and password, as you will need this later to connect to the VPN.

To add more users, simply repeat this step. If you are adding a large number of users, you might prefer to connect the device to an existing (LDAP or RADIUS) authentication server later (remember to select the appropriate user type for the external authentication server in the ​User Type​ ​pop-up)​ . However, we recommend using a local user for initial setup and testing.

• Next switch to the Group tab and click Add
• Here, you can set up a User Group containing all the Users who need access to the VPN. Give your group a Name and select the available users from the list

Step Two: Create an Authentication Method

Now you need to set up an authentication method for your new VPN. This ensures that access stays restricted.

• Go to O​bject ​>​ Auth. Method ​and click the​ Add ​button
• Name:​ Enter a name for the new authentication method (i.e. VPN-Access)
• Click the ​Add​ button and choose ​local​ from the pop-up

Step Three: Create a Client Range

Next, specify the range of addresses that will be assigned to future VPN users  - aka the client address range.

• Go to Configuration > Object > Address / Geo IP and click the + to add a new address range

• Give the address range a Name, then enter the Starting IP and End IP of the intended address range (usually this should be a separate IP range outside the LAN network, in order to avoid network conflicts)

Step Four: Use the wizard to set up IKEv1 VPN

• Click on the magic wand icon in the sidebar of your Zyxel interface. Then go to Quick Setup and choose VPN Setup

• Choose Express as the wizard type

• Next, select IKEv1
• Then, enter a Rule Name and choose Remote Access (Server Role)

• Express settings: Select wan from the dropdown menu
• Under Configuration, enter a PSK (pre-shared key) and for Local Policy, choose the address object corresponding to the network(s) VPN clients are permitted to access. In most cases, this would be the Zyxel device's LAN network

• Click Next to receive a final overview of your VPN settings, then hit Save to set up the VPN

Step Five: Additional Config & User Access

The next steps are needed to ensure your VPN is set up correctly for the intended users - i.e. the users you added in Step One - when using the VPN client.

• To find your new connection, go to VPN > IPsec VPN and locate your connection in the list. Then click Edit

• Under Mode Config, check the box to Enable Mode Config. Then, select the IP Address Pool from Step Three in the dropdown. These are the addresses which will be assigned to VPN users

• Under Phase 2, click to show the Advanced Settings for your VPN. Here you can add encryption settings. For VPN Tracker, we use the following encryption settings as shown in the screenshot.
  P.S. If you wish, it is possible to use different settings. Please note that any changes you make here must be matched in VPN Tracker (Advanced > Phase 1). We recommend using the settings shown here for initial setup and testing.

• Next, check the box to Enable Extended Authentication (XAUTH). Then, select the Authentication Method (AAA) and User Group you configured in steps one and two of this guide
• Finally, uncheck the box Enable Two-Factor Authentication and click OK to save your changes

Connect to Zyxel USG Flex IKEv1 VPN on Mac, iPhone and iPad

In order to connect to your new Zyxel IKEv1 VPN tunnel, you will need a VPN client. VPN Tracker is the leading VPN client for macOS and iOS, so you can get secure remote access on all your devices.

VPN Tracker enables you to get connected to your Zyxel VPN in seconds. Click to open the connection creator and enter the following information in the fields provided:

• Your Zyxel gateway's IP address
• Remote network range (IP address range you set up in step three)
• Pre-shared key
• VPN username and password

Ready? Save your connection in TeamCloud for direct access on Mac, iPhone and iPad in VPN Tracker!