Setup IPsec

These settings have been tested and found to work with some clients, but other similar settings may function as well. Feel free to try other encryption algorithms, hashes, etc.

Mobile Clients Tab

  • Navigate to VPN > IPsec, Mobile Clients tab in the AZTCO-FW WebGUI
  •   Check Enable IPsec Mobile Client Support
  • Set User Authentication to Local Database (Not used, but the option must have something selected)
  • Uncheck Provide a virtual IP address to clients
  • Uncheck Provide a list of accessible networks to clientsClick Save

Phase 1

  • Click the Create Phase1 button at the top if it appears, or edit the existing Mobile IPsec Phase 1
    • If there is no Phase 1, and the Create Phase1 button does not appear, navigate back to the Mobile Clients tab and click it there.
  • Set Key Exchange version to v1
  • Enter an appropriate DescriptionSet Authentication method to Mutual PSK
  • Set Negotiation Mode to Main
  • Set My Identifier to My IP address
  • Set Encryption algorithm to AES 256
  • Set Hash algorithm to SHA1
  • Set DH key group to 14 (2048 bit)

Note: iOS and other platforms may work with a DH key group of 2 instead.

  • Set Lifetime to 28800
  • Uncheck Disable Rekey
  • Set NAT Traversal to Auto
  • Check Enable DPD, set for 10 seconds and 5 retries
  • Click Save

Phase 2

  • Click Show Phase 2 Entries to show the Mobile IPsec Phase 2 list
  • Click  +Add P2 to add a new Phase 2 entry if one does not exist, or click  to edit an existing entry
  • Set Mode to Transport
  • Enter an appropriate Description
  • Set Protocol to ESP
  • Set Encryption algorithms to ONLY AES 128
  • Set Hash algorithms to ONLY SHA1
  • Set PFS Key Group to off
  • Set Lifetime to 3600
  • Click Save

Pre-Shared Key

The Pre-Shared Key for the connection, which is common for all clients, must be configured in a special way.

  • Navigate to VPN > IPsec, Pre-Shared Keys tab on AZTCO-FW
  • Click  Add to add a new PSK
  • Set the Identifier to allusers

Note:   The allusers name is a special keyword used by AZTCO-FW to configure a wildcard PSK, which is necessary for L2TP/IPsec to function. Do not use any other Identifier for this PSK!

  • Set Secret Type to PSK
  • Enter a Pre-Shared Key, such as aaabbbccc – ideally one a lot longer, more random, and secure!
  • Click Save
  • Click Apply Changes
© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.