This HowTo describes how to create an IPSec Roadwarrior connection using IKEv2 EAP-MSCHAPv2 to a Windows client.
Customization of the server certificate
Customization of the server certificate
The server certificate on the UTM must be adjusted so that the Windows client trusts the IPSec connection.
For this purpose, a Subject Alternative Name is defined:
If the connection is established via a static IP address, this address is entered
If the connection is established via a domain name, this name is entered
Both entries can also be combined
In → Authentication →Certificates the Edit button opens the edit dialog of the server certificate.
If there is no server certificate yet, the Add certificate, Add ACME certificate or Import certificate buttons will create one.
Under Alias either the IP address is entered with IP, or the domain name with DNS and added with the button.
The Save button is used to save the entries.
IPSec with EAP-MSCHAPv2
An IPSec Roadwarrior connection with EAP-MSCHAPv2 to the Windows client is required. The corresponding Wiki article IPSec with EAP-MSCHAPv2 contains the instructions for this.
notempty
For the DHCP option to be used, no DHCP server must be entered in the global IPSec settings.
Adjustment of the IPSec connection
For the IPSec connection used, IKEv2 phases 1 and 2 must be adjusted, as Windows does not support the default values.
Under → VPN →IPSecTab Connections, the buttons for the corresponding IKEv2 phases are clicked for the IPSec roadwarrior connection.
IKEv2 Phase 1
The Phase 1 button switches the window to the IKE tab and makes the following recommended settings
Caption
Value
Description
IKEv2 Phase 1
Encryption:
aes256
Select aes256 as encryption
Authentication:
sha2_384
Select sha2_384 for authentication
Diffie-Hellman Group:
modp2048s256
Select modp2048s256 as Diffie-Hellman Group. This requires Display weak algorithms to be active.
Show weak algorithms:
On
Only when activated, the Diffie-Hellman Groupmodp2048s256 becomes selectable
Strict:
On
Activate, because the phases 1 and 2 are fixed defined on Windows
IKE Lifetime:
Off
If desired, this can be activated
IKE Rekeytime:
1 Hours
The rekey time can be set as desired
Rekeying:
Unlimited (recommended)
Set to unlimited (recommended)
IKEv2 Phase 2
The Phase 2 button switches the window to the General tab and makes the following recommended settings
Caption
Value
Description
IKEv2 Phase 2
Encryption:
aes256
Select aes256 as encryption
Authentication:
sha2_384
Select sha2_384 for authentication
Diffie-Hellman Group:
modp2048s256
Select modp2048s256 as Diffie-Hellman Group. This requires Display weak algorithms to be active.
Show weak algorithms:
On
Only when activated, the Diffie-Hellman Groupmodp2048s256 becomes selectable
Key life:
8 Hours
Can be freely selected
Restart after abort:
No
If desired this can be activated
Group subnet combinations:
On
Should already be active by default
DHCP:
Off
Activate only if no DHCP server is entered in the global IPSec settings
Setting up the connection on the Windows client
Import CA from server certificate
The public key of the CA, which belongs to the server certificate revised above, is stored as a certificate on the Windows client. Only then does the client trust the UTM.
The IPSec connection can be added to the Windows client in different ways.
Here the method via Powershell is described.
Fig.1
First, the IPSec connection is added. The following command is entered for this purpose:
Add-VpnConnection -Name "IPSec RW Windows" -ServerAddress "utm.spdns.eu" -AuthenticationMethod MSChapv2 -PassThru -RememberCredential The following adjustment must be done in the process:
Add-VpnConnection -Name "IPSec RW Windows": The name of the created IPSec connection
-ServerAddress "utm.spdns.eu": Hostname of the UTM
Fig.2
The next command adjusts the settings of IKEv2 phase 1 and 2 according to the upper inputs:
Set-VpnConnectionIPsecConfiguration -ConnectionName "IPSec RW Windows" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup PFS24 -DHGroup Group24 -PassThru -Force The following adjustment must be done in the process:
-ConnectionName "IPSec RW Windows": The name of the created IPSec connection
With the option -RememberCredential (in the first command) the Windows client remembers the login data. Alternatively, the -UseWinlogonCredential option can be entered. Then the Windows login data of the current user is passed to the UTM.
Initiate connection
VPN-Client in Windows
After the IPSec connection has been set up on the Windows client, you can initiate the IPSec connection to the UTM via a VPN client, for example the Windows internal VPN client.