IPSec with EAP-MSCHAPv2

Configuration of an IPSec connection with EAP-MSCHAPv2

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notempty

This article refers to a Resellerpreview

12.2

Preparations

User rights and settings

Group with IPSec EAP authorization
Active	Permissions	Description	Add group UTMuser@firewall.name.fqdnAuthenticationUser In this new group, IPSec EAP still needs to be enabled.
On	IPSec EAP	Enables Microsoft CHAPv2 for IPSec connections with IKEv2
Menu Authentication User Area Group Button Edit group or Add group Tab Permissions Enable IPSEC EAP Further configuration options in the wiki article on User Groups

User configuration
Caption	Value	Description	Add user UTMuser@firewall.name.fqdnAuthenticationUser
EAP MSCHAPv2 password:	****************	An appropriate password is entered. For security reasons, the EAP password should be different from the user's general password.
Menu Authentication User Area User Button Edit user or Add user Tab General The user must be a member of the newly configured group with the IPSEC EAP permission Tab VPN/ section IPSec Enter MSCHAPv2 password Further configuration options in the wiki article on User management

Configure IPSec

Preparations

Create CA and server certificate

A corresponding CA and server certificate is required for an IPSec connection. If these do not yet exist, they must be newly created.

Set up DHCP

If desired, clients can receive IP addresses from a local network via DHCP.
To do this, a few general settings must be made.

Show IPSec DHCP preparations

Create IPSec Roadwarrior connection

Add connection using the setup wizard at: VPN IPSec Area Connections Button Add IPSec connection

Connection type Step 1 - Connection type
Caption	Value	Description	Add IPSec connection UTMuser@firewall.name.fqdnVPNIPSec Selecting the connection type
Selecting the connection type	Roadwarrior	For the configuration of an E2S / End-to-Site connection with MSCHAPv2, Roadwarrior is selected.

General Step 2 - General
Name:	IPsec Roadwarrior	Name of the IPSec connection	Step 2 - General
Connection type:	IKEv2 - Native	IKEv2 is selected as the connection type

Local Step 3 - Local
Local Gateway ID:		The Local Gateway ID is entered. This is filled in automatically when the certificate is selected.	Step 3 - Local
Authentication method:	Certificate	Certificate is selected
X.509 certificate:	IPSec Cert	A certificate should be selected that is exclusively responsible for this IPSec connection
Share network:	192.168.222.1/24	The local network that is to be shared for the IPSec connection

Remote terminal Step 4 - Remote terminal
Remote Gateway ID:	203.0.113.113/24	The IP address or the gateway ID of the remote terminal	Step 4 - Local
Authentication method:	EAP MSCHAPv2	EAP-MSCHAPv2 is selected as the authentication method for the remote terminal
User group:	IPSec user group	The previously created user group is selected
IP-Adresse/Pool:	192.168.22.35/32	The IP address (e.g.: 192.168.22.35/32), or pool in the form of a subnet (e.g.: 192.168.22.35/26 for the pool of 192.168.22.0 -192.168.22.63) which is used under IPSec.
Done		Saves the entries and closes the wizard

If the clients should receive IP addresses from an internal network, this can now be done in the settings for Phase 2 in the General tab with DHCP: On.			Edit phase 2 UTMuser@firewall.name.fqdnVPNIPSec The enabled DHCP

Caption	Value	Description	IPSec UTMuser@firewall.name.fqdnVPN IPSec Log Save and restart Dialog for the global DHCP settings of IPSec clients
Mode notempty New as of v12.5.0	ServerInterface	Determines whether DHCP requests are send to a specific server or via an interface as broadcast
DHCP-Server: Only for mode Server	192.168.222.1	Sets a DHCP server address to be used. It can also be a unicast address. For example, to be used with remote DHCP servers that can only be reached via routed networks.
DHCP-Interface: Only for mode Interface	LAN2 (UTM-Pools: xyz)	Specifies an interface through which DHCP requests from the client are forwarded as a broadcast. If applicable the names of the pools configured under Network Network Configuration Area DHCP Pools and belonging to a network configured on the interface are displayed.
Static DHCP identity:	Off	For On, a static DHCP client identity and MAC address is generated for each client from its IPSec identity (e.g., certificate DN, EAP identity) to allow static IP addresses to be assigned by the server.
Save and restart		Saves the settings and restarts the IPSec service notempty This will interrupt all existing IPSec connections

IPSec with EAP-MSCHAPv2

Contents

Preparations

User rights and settings

Group with IPSec EAP authorization

User configuration

Configure IPSec

Preparations

Create CA and server certificate

Set up DHCP

Preparations

IPSec DHCP settings

Create IPSec Roadwarrior connection

Connection type

General

Local

Remote terminal