IPSec with EAP-MSCHAPv2 to a Windows Client

Configuration of an IPSec connection with EAP-MSCHAPv2 to a Windows client

New article with version: 12.5.1

New:

Correction for the certificate that is stored on the client

Last updated:

11.2023

notempty

This article refers to a Resellerpreview

Introduction

This HowTo describes how to create an IPSec Roadwarrior connection using IKEv2 EAP-MSCHAPv2 to a Windows client.

Customization of the server certificate

The server certificate on the UTM must be adjusted so that the Windows client trusts the IPSec connection.
For this purpose, a Subject Alternative Name is defined:

If the connection is established via a static IP address, this address is entered
If the connection is established via a domain name, this name is entered
Both entries can also be combined

In → Authentication →Certificates the Edit button opens the edit dialog of the server certificate.
If there is no server certificate yet, the Add certificate, Add ACME certificate or Import certificate buttons will create one.
Under Alias either the IP address is entered with IP, or the domain name with DNS and added with the button.
The Save button is used to save the entries.

IPSec with EAP-MSCHAPv2

An IPSec Roadwarrior connection with EAP-MSCHAPv2 to the Windows client is required. The corresponding Wiki article IPSec with EAP-MSCHAPv2 contains the instructions for this.

notempty

For the DHCP option to be used, no DHCP server must be entered in the global IPSec settings.

Adjustment of the IPSec connection

For the IPSec connection used, IKEv2 phases 1 and 2 must be adjusted, as Windows does not support the default values.
Under → VPN →IPSecTab Connections, the buttons for the corresponding IKEv2 phases are clicked for the IPSec roadwarrior connection.

IKEv2 Phase 1

The Phase 1 button switches the window to the IKE tab and makes the following recommended settings

Caption	Value	Description	IKEv2 Phase 1
Encryption:	aes256	Select aes256 as encryption
Authentication:	sha2_384	Select sha2_384 for authentication
Diffie-Hellman Group:	modp2048s256	Select modp2048s256 as Diffie-Hellman Group. This requires Display weak algorithms to be active.
Show weak algorithms:	On	Only when activated, the Diffie-Hellman Group modp2048s256 becomes selectable
Strict:	On	Activate, because the phases 1 and 2 are fixed defined on Windows
IKE Lifetime:	Off	If desired, this can be activated
IKE Rekeytime:	1 Hours	The rekey time can be set as desired
Rekeying:	Unlimited (recommended)	Set to unlimited (recommended)

IKEv2 Phase 2

The Phase 2 button switches the window to the General tab and makes the following recommended settings

Caption	Value	Description	IKEv2 Phase 2
Encryption:	aes256	Select aes256 as encryption
Authentication:	sha2_384	Select sha2_384 for authentication
Diffie-Hellman Group:	modp2048s256	Select modp2048s256 as Diffie-Hellman Group. This requires Display weak algorithms to be active.
Show weak algorithms:	On	Only when activated, the Diffie-Hellman Group modp2048s256 becomes selectable
Key life:	8 Hours	Can be freely selected
Restart after abort:	No	If desired this can be activated
Group subnet combinations:	On	Should already be active by default
DHCP:	Off	Activate only if no DHCP server is entered in the global IPSec settings

Setting up the connection on the Windows client

Import CA from server certificate

The public key of the CA, which belongs to the server certificate revised above, is stored as a certificate on the Windows client. Only then does the client trust the UTM.

The CA must be exported as PEM and opened in an editor.
The section between -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- is deleted.
The CA must be saved as a .crt file.

UTM Windows-Client Server-Zertifikat Import-Install-en.png

Fig.1

The CA is copied and installed as a .crt file (export as PEM) on the Windows client.

UTM Windows-Client Server-Zertifikat Install Schritt1-en.png

Fig.2

Select Local computer as storage location
Next

UTM Windows-Client Server-Zertifikat Install Schritt2-en.png

Fig.3

Select Store all certificates in the following memory
Select Certificate store: Trusted root certification authorities
Next

UTM Windows-Client Server-Zertifikat Install Schritt3-en.png

Fig.4

With Complete the CA is imported

Connection setup

The IPSec connection can be added to the Windows client in different ways.
Here the method via Powershell is described.

UTM Windows-Client-IPSec Powershell Befehl1.png

Fig.1

First, the IPSec connection is added. The following command is entered for this purpose:

Add-VpnConnection -Name "IPSec RW Windows" -ServerAddress "utm.spdns.eu" -AuthenticationMethod MSChapv2 -PassThru -RememberCredential
The following adjustment must be done in the process:

Add-VpnConnection -Name "IPSec RW Windows": The name of the created IPSec connection
-ServerAddress "utm.spdns.eu": Hostname of the UTM

UTM Windows-Client-IPSec Powershell Befehl2.png

Fig.2

The next command adjusts the settings of IKEv2 phase 1 and 2 according to the upper inputs:

Set-VpnConnectionIPsecConfiguration -ConnectionName "IPSec RW Windows" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup PFS24 -DHGroup Group24 -PassThru -Force
The following adjustment must be done in the process:

-ConnectionName "IPSec RW Windows": The name of the created IPSec connection

With the option -RememberCredential (in the first command) the Windows client remembers the login data. Alternatively, the -UseWinlogonCredential option can be entered. Then the Windows login data of the current user is passed to the UTM.

Initiate connection

VPN-Client in Windows

After the IPSec connection has been set up on the Windows client, you can initiate the IPSec connection to the UTM via a VPN client, for example the Windows internal VPN client.