Configuration of an IPSec connection with EAP-MSCHAPv2
New article with version: 12.2.4
New:
EAP-MSCHAPv2
notempty
This article refers to a Resellerpreview
Access: UTM-IP:Port or UTM-URL:Port Port as configured at Network / Appliance Settings / Webserver Default-Port: 11115 i.e.: https://utm.ttt-point.de:11115 Default: https://192.168.175.1:11115→ VPN →IPSecTab Connections Button Add IPSec connection
Preparations
User rights and settings
Group with IPSec EAP authorization
Active
Permissions
Description
In this new group, IPSec EAP still needs to be enabled.
On
IPSec EAP
Enables Microsoft CHAPv2 for IPSec connections with IKEv2
Menu → Authentication →UserTab Group
Button
Edit group or Add group
Tab Permissions
Enable IPSEC EAP
Further configuration options in the wiki article on User Groups
User configuration
Caption
Value
Description
EAP MSCHAPv2 password:
****************
An appropriate password is entered.
For security reasons, the EAP password should be different from the user's general password.
Menu → Authentication →UserTab User
Button
Edit user or Add user
Tab General
The user must be a member of the newly configured group with the IPSEC EAP permission
Tab VPN/ section
IPSec
New as of v12.2.4
Enter MSCHAPv2 password
Further configuration options in the wiki article on User management
Configure IPSec
Preparations
Create CA and server certificate
A corresponding CA and server certificate is required for an IPSec connection. If these do not yet exist, they must be newly created.
Set up DHCP
If desired, clients can receive IP addresses from a local network via DHCP. To do this, a few general settings must be made.
Preparations
An IP address range for the network of the selected interface must be available on the DHCP server.
On the UTM, this is configured under → Network →Network ConfigurationTab DHCP Pools.
Further setup instructions in the Wiki article on DHCP.
IPSec DHCP settings
Menu → VPN →IPSecTab Global
Caption
Value
Description
Dialog for the global DHCP settings of IPSec clients as of v12.5.0
Modenotempty
New as of v12.5.0
ServerInterface
Determines whether DHCP requests are send to a specific server or via an interface as broadcast
DHCP-Server: Only for mode Server
192.168.222.1
Sets a DHCP server address to be used. It can also be a unicast address. For example, to be used with remote DHCP servers that can only be reached via routed networks.
DHCP-Interface: Only for mode Interface
LAN2 (UTM-Pools: xyz)
Specifies an interface through which DHCP requests from the client are forwarded as a broadcast. If applicable the names of the pools configured under → Network →Network ConfigurationTab DHCP Pools and belonging to a network configured on the interface are displayed.
Static DHCP identity:
Off
For On, a static DHCP client identity and MAC address is generated for each client from its IPSec identity (e.g., certificate DN, EAP identity) to allow static IP addresses to be assigned by the server.
Save and restart
Saves the settings and restarts the IPSec service
notempty
This will interrupt all existing IPSec connections
Create IPSec Roadwarrior connection
Add connection using the setup wizard at: → VPN →IPSecTab Connections Button Add IPSec connection
Connection type
Step 1 - Connection type
Caption
Value
Description
Selecting the connection type
Selecting the connection type
Roadwarrior
For the configuration of an E2S / End-to-Site connection with MSCHAPv2, Roadwarrior is selected.
General
Step 2 - General
Name:
IPsec Roadwarrior
Name of the IPSec connection
Step 2 - General
Connection type:
IKEv2 - Native
IKEv2 is selected as the connection type
Local
Step 3 - Local
Local Gateway ID:
The Local Gateway ID is entered. This is filled in automatically when the certificate is selected.
Step 3 - Local
Authentication method:
Certificate
Certificate is selected
X.509 certificate:
IPSec Cert
A certificate should be selected that is exclusively responsible for this IPSec connection
Share network:
192.168.222.1/24
The local network that is to be shared for the IPSec connection
Remote terminal
Step 4 - Remote terminal
Remote Gateway ID:
192.0.2.192/24
The IP address or the gateway ID of the remote terminal
Step 4 - Local
Authentication method:
EAP MSCHAPv2
EAP-MSCHAPv2 is selected as the authentication method for the remote terminal
User group:
IPSec user group
The previously created user group is selected
IP-Adresse/Pool:
192.168.22.35/32
The IP address (e.g.: 192.168.22.35/32), or pool in the form of a subnet (e.g.: 192.168.22.35/26 for the pool of 192.168.22.0 -192.168.22.63) which is used under IPSec.
Done
Saves the entries and closes the wizard
If the clients should receive IP addresses from an internal network, this can now be done in the settings for Phase 2 in the General tab with DHCPOn.