IKEv2 Roadwarrior VPN thuwall 2.0 with Firmware 2.2.6 & 2.3.4
Revision History Revision Date Author Description 1.0 05. July 2017 Tom Huerlimann Initial Release 1.1 06. July 2017 Tom Huerlimann Corrections Page 2 of 19
Index 1.0 Scope of document... 4 2.0 Requirements... 4 3.0 VPN Server... 4 3.1 Firewall... 4 3.1.1 Allow ISAKMP... 4 3.1.2 Allow IPsec NAT-T... 4 3.1.3 Allow traffic from IPsec... 4 3.2 Certificates... 5 3.2.1 Create the CA certificate... 5 3.2.2 Create the server certificate... 5 3.2.3 Create the user certificate... 5 3.2.4 Download the certificates... 6 3.3 Configure the VPN... 6 3.3.1 Mobile Clients... 6 3.3.2 Phase 1... 6 3.3.3 Phase 2... 7 4.0 Windows Client... 7 4.1 Install certificates... 7 4.1.1 Import Certificate Authority... 7 4.1.2 Import User Certificate... 9 4.2 Setup VPN connection... 12 4.3 Configure VPN connection... 13 4.4 Enable AES256, DH2048 for Phase 1... 15 4.5 Enable AES256, ECP256 for Phase 2... 16 4.6 Connect to VPN server... 16 5.0 Apple ios... 17 5.1 Install certificates... 17 5.1.1 Import Certificate Authority... 17 5.1.2 Import User Certificate... 17 5.2 Setup VPN connection... 18 5.3 Connect to VPN server... 19 Page 3 of 19
1.0 Scope of document This document describes IPSec IKEv2 configuration of the thuwall 2.0 as VPN server and Windows 10/IOS 10 as VPN clients. 2.0 Requirements - thuwall 2.0 with static IP address is required. - thuwall 2.0 with firmware 2.2.6 and 2.3.4-1 are supported. - Microsoft Windows 7, 8, 8.1, 10 are supported. - Apple ios 10.3.2 is supported. - Administrative access to thuwall 2.0 and client devices are required. - Linux or Windows system with OpenSSL installed - Microsoft OneDrive account or Apple Mail configured 3.0 VPN Server Login to your thuwall 2.0 by opening the IP-address in your web-browser: 3.1 Firewall https://<ip-address> To be able to establish IPSec connections to thuwall 2.0 we need to allow a few ports, this settings should be already configured by default so make sure the settings are still present, if not then add them. 3.1.1 Allow ISAKMP Open Firewall Rules and click Add Action: Pass Disabled: Interface: WAN Address Family: IPv4 Protocol: UDP Source: any Destination: any Destination Port Range: From ISAKMP (500) To ISAKMP (500) Log: Description: ISAKMP 3.1.2 Allow IPsec NAT-T Open Firewall Rules and click Add Action: Pass Disabled: Interface: WAN Address Family: IPv4 Protocol: UDP Source: any Destination: any Destination Port Range: From IPsec NAT-T (4500) To IPsec NAT-T (4500) Log: Description: IPsec NAT-T 3.1.3 Allow traffic from IPsec If you cannot see the option IPSec then come back after you have completed the whole chapter 3.0. Open Firewall Rules IPsec and click Add Action: Disabled: Interface: Address Family Pass IPsec IPv4 Page 4 of 19
Protocol: Source: Destination: Log: Description Any any any Allow Everything Save the settings. 3.2 Certificates 3.2.1 Create the CA certificate Open System Cert Manager CA s and click the + to add a new CA. Descriptive Name: YourCompany VPN Certificate Authority Method: Create an internal Certificate Authority Key length: 2048 Digest Algorithm: sha256 Lifetime (days): 9200 Country Code: CH State or Province: ZH City: Buelach Organization: YourCompany Organizational Unit: IT-Datacenter Email Address: your_address@your_domain.com Common Name: YourCompany VPN Certificate Authority Save the certificate 3.2.2 Create the server certificate Open System Cert Manager Certificates and click the + to add a new certificate. Method: Create an internal certificate Descriptive Name: YourCompany VPN Server Certificate Certificate Authority: YourCompany VPN Certificate Authority Key length: 2048 Digest Algorithm: sha256 Certificate Type: Server Certificate Lifetime (days): 3650 Country Code: CH State or Province: ZH City: Buelach Organization: YourCompany Organizantional Unit: IT-Datacenter Email-Adresse: your_address@your_domain.com Common Name: [External DNS name of the thuwall 2.0] Add an alternative Name: Type: DNS Value: [External DNS name of the thuwall 2.0 (yes, the same as the CN above)] Add another alternative Name: Type: DNS Value: [External IP address of the thuwall 2.0 (yes, the same as the CN above)] Save the certificate 3.2.3 Create the user certificate Only one here of course, and the 'person' is called 'user' but you should make a certificate for every user of the VPN and replace 'user' with a reasonable username. Open System Cert Manager Certificates and click the + to add a new certificate. Method: Create an internal certificate Descriptive Name: YourCompany VPN User Certificate Certificate Authority: YourCompany VPN Certificate Authority Key length: 2048 Digest Algorithm: sha256 Page 5 of 19
Certificate Type: User Certificate Lifetime (days): 3650 Country Code: CH State or Province: ZH City: Buelach Organization: YourCompany Organizantional Unit: IT-Datacenter Email-Adresse: your_address@your_domain.com Common Name: vpn (replace with valid username if there's to be multiple users) Add an alternative Name: Type: DNS Value: vpn (same value as the Common Name) Save the certificate 3.2.4 Download the certificates - Switch to the CA tab, click the arrow for "export CA cert" - Switch to the Certificates tab. For the server cert, click the arrow for "export cert". - For the user cert, click both the "export cert" arrow and the "export key" arrow. Create a PKCS12 container for the user cert with the command line on a system with OpenSSL installed: openssl pkcs12 -export -in usercert.crt -inkey usercert.key -out usercert.p12 (Take a note of the password for the private key to allow you to import it, see chapter 4.1.2 & 5.1.2) 3.3 Configure the VPN This part should be familiar. Delete any Mobile Client Tunnel if you have one. Open VPN IPsec Tunnels Only firmware 2.2.6: 3.3.1 Mobile Clients Open VPN IPsec Mobile clients Ensure "Enable IPsec" is ticked. IKE Extensions: Checked User Authentication: Local Database Group Authentication: system Virtual Address Pool: Checked: Provide and give a suitable private IP scope, one that isn't your LAN Virtual IPv6 Address (..): Network List: Save Xauth Password: DNS Default Domain: Checked and set the domain name of VPN LAN Split DNS: DNS Servers: Checked: Specify your LAN DNS server IP WINS Servers: (check if required in your environment) Phase2 PFS Group: Login Banner: Feel free to add one if you like Save the settings. Apply the changes and click the "Create Phase 1" banner button. 3.3.2 Phase 1 Disabled: KeyExchange version: IKEv2 Internet Protocol: IPv4 Interface WAN Description: Mobile Clients Authentication Method: EAP-TLS My identifier: Distinguished Name. Set the value to the DNS of the thuwall 2.0, the same as you used when making the server certificate Page 6 of 19
Peer identifier: Any My Certificate: YourCompany VPN Server Certificate Peer Certificate Auth(..): YourCompany VPN Certificate Authority Encryption algorithm: AES256 Hash algorithm: SHA256 DH key group: 14 Lifetime: 28800 Disable rekey: Disable Reauth: Responder Only: Checked MOBIKE: Enabled Split Connections: Dead Peer Detection: Checked Delay: 10 Max failures: 5 Save the phase 1. Apply the changes. 3.3.3 Phase 2 Expand the Mobile Client phase 1 and click the + to add the phase 2 Disabled Mode: Tunnel IPv4 Local Network: Type: Network Address: 0.0.0.0 / 0 NAT/BINAT: Type: None Description: Mobile Clients Protocol: ESP Encryption algorithms: AES256 Hash algorithms: SHA256 PFS key group: 19 Lifetime: 86400 seconds Save the phase 2. Apply the changes. 4.0 Windows Client 4.1 Install certificates Make sure you have your certificates from chapter 3.2.1 and 3.2.3 available. 4.1.1 Import Certificate Authority Before you start, make sure you are logged on to Windows as user with administrative privileges. Right click on YourCompany+VPN+Certificate+Authority.crt certificate and select Install Certificate. Page 7 of 19
Select Open if a Security Warning pops up. Select Local Machine as Store Location and click Next. Select Place all certificates in the following store and browse to Trusted Root Certificate Authorities. Confirm with OK and click Next to proceed. Page 8 of 19
Click Finish to close the certificate import wizard. Click OK if successful. 4.1.2 Import User Certificate Before you start, make sure you are logged on to Windows as the user who want to use the VPN connection afterwards. Right click on YourCompany+VPN+User+Certificate.crt certificate and select Install PFX. Page 9 of 19
Select Current User as Store Location and click Next. Make sure the correct file is selected and click Next. Page 10 of 19
Enter the password you ve specified in chapter 3.2.4, mark the key as exportable and include all extended properties. Hint: To increase the security of your VPN tunnel, do not mark the key as exportable, in this case make sure you have safely stored your user certificate file. Select Place all certificates in the following store and browse to Personal. Confirm with OK and click Next to proceed. Page 11 of 19
Click Finish to close the certificate import wizard. Click OK if successful. 4.2 Setup VPN connection Right click the network icon in the task bar and select Open Network and Sharing Center. Click on Set up a new connection or network Page 12 of 19
Select Connect to a worklplace and click Next to proceed. Select Use my Internet connection (VPN) Enter the DNS name of the thuwall 2.0, in our setups normally vpn.yourdomain.com. Remember my credentials can be checked and Allow other people use this connection should be checked as well. Hint: For every person who want to use this connection you have to repeat chapter 4.1.2. 4.3 Configure VPN connection Page 13 of 19
Right click the network icon in the task bar and select Open Network and Sharing Center. Click Change adapter settings on the left side of the window. Right click your VPN connection and select Properties. Register General : Make sure the DNS name of the thuwall 2.0 is configured. Register Options : Make sure Idle time before hanging up: Is set to never. Page 14 of 19
Register Security : Make sure IKEv2 is selected. Data encryption is set to Maximum strength encryption and Authentication has been set to Microsoft: Smart Card or other certificate. Certificate Properties: Configure the settings as visible on the screenshot, make sure you select the Certificate Authority you ve imported in chapter 4.1.1 Remove the checkbox from Internetprotocol, Version 6 (TCP/IPv6) and keep the default settings on the register Sharing. Click OK to save and exit. 4.4 Enable AES256, DH2048 for Phase 1 Windows only supports weak cypher algorithms by default. We need to enable AES256 and DH Group 14 for phase 1. Add following setting to the registry of your client [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters] "NegotiateDH2048_AES256"=dword:00000002 Value IKEv2 Security L2TP\IPsec (i.e., IKEv1) None MM: IKE-DH2-3DES-SHA1 QM: ESP-3DES-SHA1(HMAC) MM: IKE-DH2-3DES-SHA1 QM: ESP-3DES-SHA1(HMAC) 0 MM: IKE-DH2-3DES-SHA1 QM: ESP-3DES-SHA1(HMAC) 1 MM: IKE-DH14-AES256- SHA1 QM: AES256-SHA1(HMAC) 2 M: IKE-DH14-AES256- SHA256 QM: AES256-SHA1(HMAC) MM: IKE-DH2-3DES-SHA1 QM: ESP-3DES-SHA1(HMAC) MM: DH14-SHA1-AES128 QM: AES128-SHA1 MM: DH14-SHA1-AES128 QM: AES128-SHA1 Page 15 of 19
4.5 Enable AES256, ECP256 for Phase 2 HINT: This chapter has to be repeated every time a setting has been changed on the VPN connection! Windows only supports weak cypher algorithms by default. We need to enable AES256 and DH Group 19 for phase 1. Execute following PowerShell command line as user with administrative privileges: Search by powershell, right click Windows PowerShell and select Run as administrator. After PowerShell was launched, enter following command. Please make sure your replace -ConnectionName with the name of your connection (see Destination Name of chapter 4.2). Set-VpnConnectionIPsecConfiguration -ConnectionName "YourCompany GmbH" - AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup ECP256 - PfsGroup ECP256 -PassThru -AllUserConnection 4.6 Connect to VPN server Page 16 of 19
Click the network icon on the task bar and select your new VPN connection. If you get asked for the certificate you want to use, then select the certificate you ve installed in chapter 4.1.2, normally the user certificate is called vpn. Click OK to connect. 5.0 Apple ios 5.1 Install certificates Make sure you have your certificates from chapter 3.2.1www.p and 3.2.3 uploaded to OneDrive. 5.1.1 Import Certificate Authority Start your Safari web browser on your iphone and connect to OneDrive (do not use the One Drive App for iphone!). Open: http://onedrive.live.com Touch YourCompany+VPN+Certificate+Authoirty.crt file. It will be opened with iphones Certificate Installer. Select the Certificate Authority certificate, the iphone certificate installer will be launched, select Install to install the CA. After the installation is complete, select Done. You will be redirected to OneDrive. 5.1.2 Import User Certificate Page 17 of 19
Start your Safari web browser on your iphone and connect to OneDrive (do not use the One Drive App for iphone!). Open: http://onedrive.live.com Select the user certificate, the iphone certificate installer will be launched, select Install to install the user certificate. Enter the password you ve specified in chapter 3.2.4 and select Next. After the installation is complete, select Done. You will be redirected to OneDrive. 5.2 Setup VPN connection Goto Settings General VPN Page 18 of 19
Select Add VPN Configuration and enter the detais: Type: IKEv2 Server: DNS name of thuwall 2.0 Remote ID: DNS name of thuwall 2.0 Local ID: Common Name of user certificate, normally vpn User Auth(..): Certificate Certificate: Common Name of user certificate, normally vpn Select Done to save. 5.3 Connect to VPN server Goto Settings VPN Select the connection you want to connect to and use the tickbox next to Status to establish the connection. Page 19 of 19