Back to top

Remote Access VPN - Windows Client - ikev2

Scope: Access Remote Access VPN from Windows

Method: ikev2 (EAP)

For using EAP authentication, SSL certificates can be uploaded before selecting EAP authentication. The purpose of the certificate is to authorize the server.  Both the certificates generated by the Certification Authority and the self-signed certificates can be used here. 

OS: Windows 2019


Expected: VPC is already configured and Source NAT is present



  1. Add SSL Certificate.
      - Certificate 
      - Private Key
      - If Password is configured for Private key then, use that in last while adding Certificate


    In order to generate self signed certificates the following instructions can be used.

    1. Create a open ssl certificate using the following command

      openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

      or if no encryption is required

      openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

    2. Upload the certificate to the account as mention above

    3. Package the certificate along with key in p12 format to be used in windows client. 

      openssl pkcs12 -export -inkey key.pem  -in cert.pem  -out cert_key.p12


  2. Enable Remote Access VPN as follow.


  3. Create VPN User If not available.



Windows Client Configuration

On the windows client , following steps needs to be performed

  1. Install the server certificate previously created (cert_key.p12) in the windows client


  2. Create a new VPN connection with VPN type as ‘ikev2’ to VPN gateway with Remote access VPN gateway IP address


    Status of VPN connection
    Right Click on the recently created connection and choose Properties. 


  3. Select EAP as the authentication method and EAP-MSCHAP v2 as the authentication method


  4. Go to the registry path HKLM/SYSTEM/CurrentControlSet/Services/RasMan/Parameters and Set DisableIKENameEkuCheck to 1
    (Registry is attached in this doc. download that to a windows box and run command {Reg import FileName}) 


  5. Try connecting and it would ask for the credentials. Provide credentials of one of the vpn users


  6. Check Route and Add route. 

    C:\Users\Administrator>route ADD MASK


  7. Check VMs which are available in this VPC.

  8. Let's ping and verify the connection


Router Side:

root@r-5475-VM:~# ipsec status
Security Associations (1 up, 0 connecting):
ikev2-vpn[3]: ESTABLISHED 6 minutes ago,[C=IN, ST=Karnataka, L=Bangalore, O=Persistent, OU=Cloud, CN=roviuscloud,]...[]


root@r-5475-VM:~# ip xfrm state
src dst
proto esp spi 0x2aad743e reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xcf3ecc1a7f6af6014664095876e6b59ea0d2d7ec 96
enc cbc(aes) 0x06584b8861051494fc130c99515be11f

src dst
proto esp spi 0xc3885004 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x6191c199fbe6e848f742e351c63e2b9a1160bd22 96
enc cbc(aes) 0x6315f722f77152abb56c11dc688141e9


Note: virtual IP range is configured using the parameter The default value of the same is In case, it is conflicting the private range, the same needs to be updated. 

Registry Download: