IPSec with EAP-MSCHAPv2 to a Windows Client

Configuration of an IPSec connection with EAP-MSCHAPv2 to a Windows client

Last adaptation to the version: 12.6.0

New:

Parameter added that prevents all Internet traffic from being routed through the tunnel
Updated to Redesign of the webinterface

Last updated:

05.2024

notempty

This article refers to a Beta version

12.5

Introduction

This HowTo describes how to create an IPSec Roadwarrior connection using IKEv2 EAP-MSCHAPv2 to a Windows client.

Customization of the server certificate

Edit certificate UTMuser@firewall.name.fqdnAuthenticationCertificate Customization of the server certificate The server certificate on the UTM must be adjusted so that the Windows client trusts the IPSec connection.
For this purpose, a Subject Alternative Name is defined:

If the connection is established via a static IP address, this address is entered
If the connection is established via a domain name, this name is entered
Both entries can also be combined

In Authentication Certificates the Edit button opens the edit dialog of the server certificate.
If there is no server certificate yet, the Add certificate, Add ACME certificate or Import certificate buttons will create one.
Under Alias either the IP address is entered with IP, or the domain name with DNS and added with the button.
The Save button is used to save the entries.

IPSec with EAP-MSCHAPv2

An IPSec Roadwarrior connection with EAP-MSCHAPv2 to the Windows client is required. The corresponding Wiki article IPSec with EAP-MSCHAPv2 contains the instructions for this.

notempty

For the DHCP option to be used, no DHCP server must be entered in the global IPSec settings.

Adjustment of the IPSec connection

For the IPSec connection used, IKEv2 phases 1 and 2 must be adjusted, as Windows does not support the default values.
Under VPN IPSec Area Connections, the buttons for the corresponding IKEv2 phases are clicked for the IPSec roadwarrior connection.

IKEv2 Phase 1

The Phase 1 button switches the window to the IKE tab and makes the following recommended settings

Caption	Value	Description	Edit phase 1 UTMuser@firewall.name.fqdnVPNIPSec IKEv2 Phase 1
Encryption:	aes256	Select aes256 as encryption
Authentication:	sha2_384	Select sha2_384 for authentication
Diffie-Hellman Group:	modp2048s256	Select modp2048s256 as Diffie-Hellman Group.
Strict:	On	Activate, because the phases 1 and 2 are fixed defined on Windows
IKE Lifetime:	Off	If desired, this can be activated
IKE Rekeytime:	1 Hours	The rekey time can be set as desired
Rekeying:	Unlimited (recommended)	Set to unlimited (recommended)

IKEv2 Phase 2

The Phase 2 button switches the window to the General tab and makes the following recommended settings

Caption	Value	Description	Edit phase 2 UTMuser@firewall.name.fqdnVPNIPSec IKEv2 Phase 2
Encryption:	aes256	Select aes256 as encryption
Authentication	sha2_384	Select sha2_384 for authentication
Diffie-Hellman Group:	modp2048s256	Select modp2048s256 as Diffie-Hellman Group.
Key life:	8 Hours	Can be freely selected
Restart after abort:	No	If desired this can be activated
Group subnet combinations:	On	Should already be active by default
DHCP:	Off	Activate only if no DHCP server is entered in the global IPSec settings

Setting up the connection on the Windows client

Import CA from server certificate

The public key of the CA, which belongs to the server certificate revised above, is stored as a certificate on the Windows client. Only then does the client trust the UTM.

The CA must be exported as PEM and opened in an editor.
The section between -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- is deleted.
The CA must be saved as a .crt file.

Fig.1

The CA is copied and installed as a .crt file (export as PEM) on the Windows client.

Fig.2

Select Local computer as storage location
Next

Fig.3

Select Store all certificates in the following memory

Select Certificate store: Trusted root certification authorities

Fig.4

With Complete the CA is imported

Connection setup

The IPSec connection can be added to the Windows client in different ways.
Here the method via Powershell is described.

Fig.1

First, the IPSec connection is added. The following command is entered for this purpose:

Add-VpnConnection -Name "IPSec RW Windows" -ServerAddress "utm.spdns.eu" -AuthenticationMethod MSChapv2 -PassThru -RememberCredential -SplitTunneling
The following adjustment must be done in the process:

Add-VpnConnection -Name "IPSec RW Windows": The name of the created IPSec connection
-ServerAddress "utm.spdns.eu": Hostname of the UTM

Fig.2

The next command adjusts the settings of IKEv2 phase 1 and 2 according to the upper inputs:

Set-VpnConnectionIPsecConfiguration -ConnectionName "IPSec RW Windows" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup PFS24 -DHGroup Group24 -PassThru -Force
The following adjustment must be done in the process:

-ConnectionName "IPSec RW Windows": The name of the created IPSec connection

With the option -RememberCredential (in the first command) the Windows client remembers the login data. Alternatively, the -UseWinlogonCredential option can be entered. Then the Windows login data of the current user is passed to the UTM.

notempty

New:

The -SplitTunneling option ensures that only packets for the destination networks of the remote terminal are routed through the tunnel

Initiate connection

After the IPSec connection has been set up on the Windows client, you can initiate the IPSec connection to the UTM via a VPN client, for example the Windows internal VPN client.