Jump to:navigation, search
Wiki

IPSec with EAP-MSCHAPv2

From Securepoint Wiki





notempty
Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty
Der Artikel für die neueste Version steht hier

notempty
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht

















































































Configuration of an IPSec connection with EAP-MSCHAPv2

New article with version: 12.2.4

New:
  • EAP-MSCHAPv2
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 → VPN →IPSecTab Connections Button Add IPSec connection

Preparations

User rights and settings


Group with IPSec EAP authorization
Active Permissions Description
In this new group, IPSec EAP still needs to be enabled.
On IPSec EAP Enables Microsoft CHAPv2 for IPSec connections with IKEv2
  • Menu → Authentication →UserTab Group
  • Button
Edit group
or
Add group
  • Tab Permissions
  • Enable IPSEC EAP

Further configuration options in the wiki article on User Groups


User configuration
Caption Value Description
EAP MSCHAPv2 password: **************** An appropriate password is entered.
  • For security reasons, the EAP password should be different from the user's general password.
    • Menu → Authentication →UserTab User
    • Button
    Edit user
    or
    Add user
    • Tab General
    The user must be a member of the newly configured group with the IPSEC EAP permission
    • Tab VPN/ section
      IPSec
      New as of v12.2.4
    Enter MSCHAPv2 password

    Further configuration options in the wiki article on User management


    Configure IPSec

    Preparations

    Create CA and server certificate

    A corresponding CA and server certificate is required for an IPSec connection. If these do not yet exist, they must be newly created.

    Set up DHCP

    If desired, clients can receive IP addresses from a local network via DHCP.
    To do this, a few general settings must be made.





    notempty
    This article refers to a version that is no longer current!

    notempty
    The article for the latest version is here

    notempty
    There is already a newer version of this article, but it refers to a Beter version














































    Preparations
    An IP address range for the network of the selected interface must be available on the DHCP server.

    On the UTM, this is configured under → Network →Network ConfigurationTab DHCP Pools.
    Further setup instructions in the Wiki article on DHCP.

    IPSec DHCP settings

    Menu → VPN →IPSecTab Global

    Caption Value Description
    Dialog for the global DHCP settings of IPSec clients as of v12.5.0
    Mode notempty
    New as of v12.5.0
    		 ServerInterface Determines whether DHCP requests are send to a specific server or via an interface as broadcast
    DHCP-Server:
    Only for mode Server    		 192.168.222.1 Sets a DHCP server address to be used. It can also be a unicast address. For example, to be used with remote DHCP servers that can only be reached via routed networks.
    DHCP-Interface:
    Only for mode Interface    		 LAN2 (UTM-Pools: xyz) Specifies an interface through which DHCP requests from the client are forwarded as a broadcast. If applicable the names of the pools configured under → Network →Network ConfigurationTab DHCP Pools and belonging to a network configured on the interface are displayed.
    Static DHCP identity: Off For On, a static DHCP client identity and MAC address is generated for each client from its IPSec identity (e.g., certificate DN, EAP identity) to allow static IP addresses to be assigned by the server.
    Save and restart Saves the settings and restarts the IPSec service

    notempty

    This will interrupt all existing IPSec connections



    Create IPSec Roadwarrior connection

    Add connection using the setup wizard at: → VPN →IPSecTab Connections Button Add IPSec connection
    Connection type
    Step 1 - Connection type
    Caption Value Description
    Selecting the connection type
    Selecting the connection type Roadwarrior For the configuration of an E2S / End-to-Site connection with MSCHAPv2, Roadwarrior is selected.
    General
    Step 2 - General
    Name: IPsec Roadwarrior Name of the IPSec connection
    Step 2 - General
    Connection type: IKEv2 - Native IKEv2 is selected as the connection type
    Local
    Step 3 - Local
    Local Gateway ID:     The Local Gateway ID is entered. This is filled in automatically when the certificate is selected.
    Step 3 - Local
    Authentication method: Certificate Certificate is selected
    X.509 certificate: IPSec Cert A certificate should be selected that is exclusively responsible for this IPSec connection
    Share network: 192.168.222.1/24 The local network that is to be shared for the IPSec connection
    Remote terminal
    Step 4 - Remote terminal
    Remote Gateway ID: 192.0.2.192/24 The IP address or the gateway ID of the remote terminal
    Step 4 - Local
    Authentication method: EAP MSCHAPv2 EAP-MSCHAPv2 is selected as the authentication method for the remote terminal
    User group: IPSec user group The previously created user group is selected
    IP-Adresse/Pool: 192.168.22.35/32 The IP address (e.g.: 192.168.22.35/32), or pool in the form of a subnet (e.g.: 192.168.22.35/26 for the pool of 192.168.22.0 -192.168.22.63) which is used under IPSec.
    Done Saves the entries and closes the wizard

    If the clients should receive IP addresses from an internal network, this can now be done
    in the settings for Phase 2 in the General tab with DHCP On.
    The enabled DHCP
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/IPSec-EAP_v12.2&oldid=91088"