IPSec and SSL VPN Client
SecuExtender VPN Client
SecuExtender Zero Trust IPSec/SSL VPN Client Subscription
| Service Category | Part Number | Description | 
|---|---|---|
| Connectivity | SECUEXTENDER-ZZ3Y01F | SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 1-user; 3YR | 
| Connectivity | SECUEXTENDER-ZZ5Y01F | SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 1-user; 5YR | 
| Connectivity | SECUEXTENDER-ZZ3Y05F | SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 5-user; 3YR | 
| Connectivity | SECUEXTENDER-ZZ3Y10F | SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 10-user; 3YR | 
| Connectivity | SECUEXTENDER-ZZ3Y50F | SecuExtender; Zero Trust IPSec/SSL VPN Client Subscription for Windows/macOS, 50-user; 3YR | 
- Windows 10, Windows 11 (64-bit)
- macOS 10.15 or above
- 1 GHz x86-64 processor
- RAM: 2 GB
- 40 MB available disk space
Hash Algorithms
- SHA2-HMAC 256-bit authentication
- SHA2-HMAC 384-bit authentication
- SHA2-HMAC 512-bit authentication
Encryption
- AES 128, 192, 256-bit encryption
- AES GCM 128, 192, 256-bit encryption
- AES CTR 128, 192, 256-bit encryption
Diffie Hellman Group Support
- Group 14: MODP 2048
- Group 15: MODP 3072
- Group 16: MODP 4096
- Group 17: MODP 6144
- Group 18: MODP 8192
- Group 19: ECP 256 (IKEv2 only)
- Group 20: ECP 384 (IKEv2 only)
- Group 21: ECP 512 (IKEv2 only)
Diffie-Hellman Key Group Support
- DH 28 (BrainpoolP256r1) [RFC 5639]
Authentication Mechanism
- PSK (Pre-shared Key)
- EAP (Login/Password)
- PKCS #11 Certificate
- Certificate authentication methods:
	- Method 1: RSA Digital Signature with SHA-2 [RFC 7296]
- Method 9: ECDSA “secp256r1” with SHA-2 (256 bits) on the P 256 curve [RFC 4754]
- Method 10: ECDSA “secp384r1” with SHA-2 (384 bits) on the P 384 curve [RFC 4754]
- Method 11: ECDSA “secp521r1” with SHA-2 (512 bits) on the P 521 curve [RFC 4754]
- Method 14: Digital Signature RSASSA-PSS and RSASSA PKCS1 v1_5 with SHA-2 (256/384/512 bits) [RFC 7427]
 
X.509 Certificate Management
- DER/PEM
- PFX/P12
IKEv1
- End of support for the vulnerable IPSec/IKEv1protocol, which has been deprecated by the IETF in September 2019
- End of support for vulnerable algorithms DES, 3DES, SHA-1, DH 1, DH 2, DH 5 in IPSec/IKEv2 (even in “auto” mode)
IKEv2 Support
- Mode CP
- IP fragmentation
- NAT-Traversal
- Childless IKE (RFC 6023)
- Extended Sequence Number (ESC) (RFC 4304)
Endpoint Visibility
- Collecting endpoint information for admission control
	- MAC address
- Inner IPv4 address
- Hostname
- Unique ID
- Zyxel client version
- OS type
- OS version
- System manufacturer
- System model
 
Networking
- NAT traversal (Draft 1, 2 & 3)
- Dead Peer Detection (DPD)
- Redundant gateway
Connection Technologies
- Dial-up modem
- GPRS
- Ethernet
- WiFi
SSL VPN*1*2
- TLS Requirements
	- TLS 1.2 Medium
- TLS 1.2 High
- TLS 1.3
 
- Hash Algorithms
	- SHA2-HMAC 224-bit authentication
- SHA2-HMAC 256-bit authentication
- SHA2-HMAC 384-bit authentication
- SHA2-HMAC 512-bit authentication
 
- Encryption
	- AES CBC 128-bit encryption
- AES CBC 192-bit encryption
- AES CBC 256-bit encryption
 
- Authentication Mechanism
	- PSK (Pre shared key)
- EAP (Login/Password)
- PKI (X.509) Certificate
- Multiple Authentication
 
- End of Support for Vulnerable Algorithms/Protocols
	- MD5
- SHA-1
- BF-CBC
- TLS 1.1
- LOW security suite for TLS V1.2
 
- Compression Is No Longer Enabled by Default
* All specifications are subject to change without notice.
- *1: Select SSL VPN to connect to a USG FLEX H series firewall.
- *2: When connecting the SecuExtender IPSec/SSL VPN Client to a USG FLEX or ATP firewall, you can only use IPSec/IKEv2, because SSL VPN is not supported.
 
 
 
