Back to top
 
 
 

Remote Access VPN - Windows Client - ikev2

Scope: Access Remote Access VPN from Windows

Method: ikev2 (EAP)

For using EAP authentication, SSL certificates can be uploaded before selecting EAP authentication. The purpose of the certificate is to authorize the server.  Both the certificates generated by the Certification Authority and the self-signed certificates can be used here. 

OS: Windows 2019

Screenshot_2020-01-25_at_7.26.19_PM.png

Expected: VPC is already configured and Source NAT is present

 

Steps:

  1. Add SSL Certificate.
      - Certificate 
      - Private Key
      - If Password is configured for Private key then, use that in last while adding Certificate

    Screenshot_2020-01-28_at_3.17.39_PM.png

    In order to generate self signed certificates the following instructions can be used.

    1. Create a open ssl certificate using the following command

      openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

      or if no encryption is required

      openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

    2. Upload the certificate to the account as mention above

    3. Package the certificate along with key in p12 format to be used in windows client. 

      openssl pkcs12 -export -inkey key.pem  -in cert.pem  -out cert_key.p12

     

  2. Enable Remote Access VPN as follow.

    Screenshot_2020-01-28_at_3.24.11_PM.png
    Screenshot_2020-01-28_at_3.25.39_PM.png

  3. Create VPN User If not available.

    Screenshot_2020-01-28_at_3.26.36_PM.png

      

Windows Client Configuration

On the windows client , following steps needs to be performed

  1. Install the server certificate previously created (cert_key.p12) in the windows client

    Screenshot_2020-01-28_at_3.31.19_PM.pngScreenshot_2020-01-28_at_3.30.35_PM.png




  2. Create a new VPN connection with VPN type as ‘ikev2’ to VPN gateway with Remote access VPN gateway IP address

    Screenshot_2020-01-28_at_3.36.45_PM.png

    Status of VPN connection
    Screenshot_2020-01-28_at_3.37.11_PM.png
    Right Click on the recently created connection and choose Properties. 

    Screenshot_2020-01-28_at_3.37.52_PM.png



  3. Select EAP as the authentication method and EAP-MSCHAP v2 as the authentication method

    Screenshot_2020-01-28_at_3.43.31_PM.png

  4. Go to the registry path HKLM/SYSTEM/CurrentControlSet/Services/RasMan/Parameters and Set DisableIKENameEkuCheck to 1
    (Registry is attached in this doc. download that to a windows box and run command {Reg import FileName}) 

    Screenshot_2020-01-28_at_3.44.38_PM.png


  5. Try connecting and it would ask for the credentials. Provide credentials of one of the vpn users
    Screenshot_2020-01-28_at_3.54.37_PM.png

    Screenshot_2020-01-28_at_3.55.13_PM.png

  6. Check Route and Add route. 

    C:\Users\Administrator>route ADD 172.24.0.0 MASK 255.255.0.0 10.9.1.1

    OK!

  7. Check VMs which are available in this VPC.

    Screenshot_2020-01-25_at_6.28.43_PM.png
     
  8. Let's ping and verify the connection
     
    Screenshot_2020-01-28_at_3.59.55_PM.png

 

Router Side:

root@r-5475-VM:~# ipsec status
Security Associations (1 up, 0 connecting):
ikev2-vpn[3]: ESTABLISHED 6 minutes ago, 10.207.252.118[C=IN, ST=Karnataka, L=Bangalore, O=Persistent, OU=Cloud, CN=roviuscloud, E=test.axar@gmail.com]...10.148.28.251[10.148.28.251]

 

root@r-5475-VM:~# ip xfrm state
src 10.207.252.118 dst 10.148.28.251
proto esp spi 0x2aad743e reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xcf3ecc1a7f6af6014664095876e6b59ea0d2d7ec 96
enc cbc(aes) 0x06584b8861051494fc130c99515be11f


src 10.148.28.251 dst 10.207.252.118
proto esp spi 0xc3885004 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x6191c199fbe6e848f742e351c63e2b9a1160bd22 96
enc cbc(aes) 0x6315f722f77152abb56c11dc688141e9
root@r-5475-VM:~#

 

Note: virtual IP range is configured using the parameter remote.access.vpn.ikev2.vip.cidr. The default value of the same is 10.9.1.0/24. In case, it is conflicting the private range, the same needs to be updated. 

Registry Download:

PFA

 

 

Comments