Jump to:navigation, search
Wiki

IPSec with EAP-MSCHAPv2

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden

















































Configuration of an IPSec connection with EAP-MSCHAPv2

Last adaptation to the version: 12.6.0

New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN IPSec  Area Connections button Add IPSec connection

Preparations

User rights and settings

Group with IPSec EAP authorization
Active Permissions Description Add group UTMuser@firewall.name.fqdnAuthenticationUser In this new group, IPSec EAP still needs to be enabled.
On IPSec EAP Enables Microsoft CHAPv2 for IPSec connections with IKEv2
  • Menu Authentication User  Area Group
  • Button
Edit group
or
Add group
  • Tab Permissions
  • Enable IPSEC EAP

Further configuration options in the wiki article on User Groups

User configuration
Caption Value Description Add user UTMuser@firewall.name.fqdnAuthenticationUser
EAP MSCHAPv2 password: **************** An appropriate password is entered.
  • For security reasons, the EAP password should be different from the user's general password.
    • Menu Authentication User  Area User
    • Button
    Edit user
    or
    Add user
    • Tab General
    The user must be a member of the newly configured group with the IPSEC EAP permission
    • Tab VPN/ section
      IPSec
    Enter MSCHAPv2 password

    Further configuration options in the wiki article on User management


    Configure IPSec

    Preparations

    Create CA and server certificate

    A corresponding CA and server certificate is required for an IPSec connection. If these do not yet exist, they must be newly created.

    Set up DHCP

    If desired, clients can receive IP addresses from a local network via DHCP.
    To do this, a few general settings must be made.




























    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden


















    Preparations
    An IP address range for the network of the selected interface must be available on the DHCP server.

    On the UTM, this is configured under Network Network Configuration  Area DHCP Pools.
    Further setup instructions in the Wiki article on DHCP.

    IPSec DHCP settings

    Menu VPN IPSec  Area DHCP

    Caption Value Description IPSec UTMuser@firewall.name.fqdnVPN IPSec Log Save and restart Dialog for the global DHCP settings of IPSec clients
    Mode notempty
    New as of v12.5.0
    		 ServerInterface Determines whether DHCP requests are send to a specific server or via an interface as broadcast
    DHCP-Server:
    Only for mode Server    		 192.168.222.1 Sets a DHCP server address to be used. It can also be a unicast address. For example, to be used with remote DHCP servers that can only be reached via routed networks.
    DHCP-Interface:
    Only for mode Interface    		 LAN2 (UTM-Pools: xyz) Specifies an interface through which DHCP requests from the client are forwarded as a broadcast. If applicable the names of the pools configured under Network Network Configuration  Area DHCP Pools and belonging to a network configured on the interface are displayed.
    Static DHCP identity: Off For On, a static DHCP client identity and MAC address is generated for each client from its IPSec identity (e.g., certificate DN, EAP identity) to allow static IP addresses to be assigned by the server.
    Save and restart Saves the settings and restarts the IPSec service

    notempty

    This will interrupt all existing IPSec connections



    Create IPSec Roadwarrior connection

    Add connection using the setup wizard at: VPN IPSec  Area Connections button Add IPSec connection

    Connection type
    Step 1 - Connection type
    Caption Value Description Add IPSec connection UTMuser@firewall.name.fqdnVPNIPSec Selecting the connection type
    Selecting the connection type Roadwarrior For the configuration of an E2S / End-to-Site connection with MSCHAPv2, Roadwarrior is selected.
    General
    Step 2 - General
    Name: IPsec Roadwarrior Name of the IPSec connection
    Step 2 - General
    Connection type: IKEv2 - Native IKEv2 is selected as the connection type
    Local
    Step 3 - Local
    Local Gateway ID:     The Local Gateway ID is entered. This is filled in automatically when the certificate is selected.
    Step 3 - Local
    Authentication method: Certificate Certificate is selected
    X.509 certificate: IPSec Cert A certificate should be selected that is exclusively responsible for this IPSec connection
    Share network: 192.168.222.1/24 The local network that is to be shared for the IPSec connection
    Remote terminal
    Step 4 - Remote terminal
    Remote Gateway ID: 203.0.113.113/24 The IP address or the gateway ID of the remote terminal
    Step 4 - Local
    Authentication method: EAP MSCHAPv2 EAP-MSCHAPv2 is selected as the authentication method for the remote terminal
    User group: IPSec user group The previously created user group is selected
    IP-Adresse/Pool: 192.168.22.35/32 The IP address (e.g.: 192.168.22.35/32), or pool in the form of a subnet (e.g.: 192.168.22.35/26 for the pool of 192.168.22.0 -192.168.22.63) which is used under IPSec.
    Done Saves the entries and closes the wizard
    If the clients should receive IP addresses from an internal network, this can now be done
    in the settings for Phase 2 in the General tab with DHCP: On.     		Edit phase 2 UTMuser@firewall.name.fqdnVPNIPSec The enabled DHCP
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/IPSec-EAP&oldid=94887"