IPSec and SSL VPN Client

SecuExtender VPN Client

SecuExtender Zero Trust IPSec/SSL VPN Client Subscription
Service Category Part Number Description
Connectivity SECUEXTENDER-ZZ1Y01F SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 1-user; 1YR
Connectivity SECUEXTENDER-ZZ3Y01F SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 1-user; 3YR
Connectivity SECUEXTENDER-ZZ5Y01F SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 1-user; 5YR
Connectivity SECUEXTENDER-ZZ1Y05F SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 5-user; 1YR
Connectivity SECUEXTENDER-ZZ3Y05F SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 5-user; 3YR
Connectivity SECUEXTENDER-ZZ1Y10F SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 10-user; 1YR
Connectivity SECUEXTENDER-ZZ3Y10F SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 10-user; 3YR
Connectivity SECUEXTENDER-ZZ1Y50F SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 50-user; 1YR
Connectivity SECUEXTENDER-ZZ3Y50F SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 50-user; 3YR
  • Windows 10, Windows 11 (64-bit)
  • macOS 10.15 or above
  • 1 GHz x86-64 processor
  • RAM: 2 GB
  • 40 MB available disk space

Hash Algorithms

  • SHA2-HMAC 256-bit authentication
  • SHA2-HMAC 384-bit authentication
  • SHA2-HMAC 512-bit authentication

Encryption

  • AES 128, 192, 256-bit encryption
  • AES GCM 128, 192, 256-bit encryption
  • AES CTR 128, 192, 256-bit encryption

Diffie Hellman Group Support

  • Group 14: MODP 2048
  • Group 15: MODP 3072
  • Group 16: MODP 4096
  • Group 17: MODP 6144
  • Group 18: MODP 8192
  • Group 19: ECP 256 (IKEv2 only)
  • Group 20: ECP 384 (IKEv2 only)
  • Group 21: ECP 512 (IKEv2 only)

Diffie-Hellman Key Group Support

  • DH 28 (BrainpoolP256r1) [RFC 5639]

Authentication Mechanism

  • PSK (Pre-shared Key)
  • EAP (Login/Password)
  • PKCS #11 Certificate
  • Certificate authentication methods:
    • Method 1: RSA Digital Signature with SHA-2 [RFC 7296]
    • Method 9: ECDSA “secp256r1” with SHA-2 (256 bits) on the P 256 curve [RFC 4754]
    • Method 10: ECDSA “secp384r1” with SHA-2 (384 bits) on the P 384 curve [RFC 4754]
    • Method 11: ECDSA “secp521r1” with SHA-2 (512 bits) on the P 521 curve [RFC 4754]
    • Method 14: Digital Signature RSASSA-PSS and RSASSA PKCS1 v1_5 with SHA-2 (256/384/512 bits) [RFC 7427]

X.509 Certificate Management

  • DER/PEM
  • PFX/P12

IKEv1

  • End of support for the vulnerable IPSec/IKEv1protocol, which has been deprecated by the IETF in September 2019
  • End of support for vulnerable algorithms DES, 3DES, SHA-1, DH 1, DH 2, DH 5 in IPSec/IKEv2 (even in “auto” mode)

IKEv2 Support

  • Mode CP
  • IP fragmentation
  • NAT-Traversal
  • Childless IKE (RFC 6023)
  • Extended Sequence Number (ESC) (RFC 4304)

Endpoint Visibility

  • Collecting endpoint information for admission control
    • MAC address
    • Inner IPv4 address
    • Hostname
    • Unique ID
    • Zyxel client version
    • OS type
    • OS version
    • System manufacturer
    • System model

Networking

  • NAT traversal (Draft 1, 2 & 3)
  • Dead Peer Detection (DPD)
  • Redundant gateway

Connection Technologies

  • Dial-up modem
  • GPRS
  • Ethernet
  • WiFi

SSL VPN*1*2

  • TLS Requirements
    • TLS 1.2 Medium
    • TLS 1.2 High
    • TLS 1.3
  • Hash Algorithms
    • SHA2-HMAC 224-bit authentication
    • SHA2-HMAC 256-bit authentication
    • SHA2-HMAC 384-bit authentication
    • SHA2-HMAC 512-bit authentication
  • Encryption
    • AES CBC 128-bit encryption
    • AES CBC 192-bit encryption
    • AES CBC 256-bit encryption
  • Authentication Mechanism
    • PSK (Pre shared key)
    • EAP (Login/Password)
    • PKI (X.509) Certificate
    • Multiple Authentication
  • End of Support for Vulnerable Algorithms/Protocols
    • MD5
    • SHA-1
    • BF-CBC
    • TLS 1.1
    • LOW security suite for TLS V1.2
  • Compression Is No Longer Enabled by Default

* All specifications are subject to change without notice.

  1. *1: Select SSL VPN to connect to a USG FLEX H series firewall.
  2. *2: When connecting the SecuExtender IPSec/SSL VPN Client to a USG FLEX or ATP firewall, you can only use IPSec/IKEv2, because SSL VPN is not supported.