IKEv2 Roadwarrior VPN. thuwall 2.0 with Firmware & 2.3.4

Similar documents
Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Virtual Tunnel Interface

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

NCP Secure Entry macos Client Release Notes

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

V7610 TELSTRA BUSINESS GATEWAY

How to Configure a Client-to-Site IPsec IKEv2 VPN

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Remote Access via Cisco VPN Client

NCP Secure Enterprise macos Client Release Notes

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

NCP Secure Enterprise macos Client Release Notes

NCP Secure Client Juniper Edition (Win32/64) Release Notes

L2TP Over IPsec Between Windows 2000 and VPN 3000 Concentrator Using Digital Certificates Configuration Example

VPN Auto Provisioning

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Administrator's Guide

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

NCP Secure Client Juniper Edition Release Notes

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

In the event of re-installation, the client software will be installed as a test version (max 10 days) until the required license key is entered.

How to set up a VPN connection between EAGLE20 and the LANCOM Advanced VPN Client (NCP client)?

VPN Configuration Guide. Cisco ASA 5500 Series

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

NCP Secure Managed Android Client Release Notes

VPNC Scenario for IPsec Interoperability

IPSec Site-to-Site VPN (SVTI)

Configuring VPN Policies

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

Series 5000 ADSL Modem / Router. Firmware Release Notes

Configuring VPNs in the EN-1000

Vyatta Router. TheGreenBow IPSec VPN Client. Configuration Guide. with Certificate.

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

The EN-4000 in Virtual Private Networks

Configuration of an IPSec VPN Server on RV130 and RV130W

Astaro Security Linux v5 & NCP Secure Entry Client A quick configuration guide to setting up NCP's Secure Entry Client and Astaro Security Linux v5

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Mac OSX Certificate Enrollment Procedure

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Setting up L2TP Over IPSec Server for remote access to LAN

FAQ about Communication

Data Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Case 1: VPN direction from Vigor2130 to Vigor2820

Configuring the VPN Client

SonicOS Enhanced Release Notes

VPN Solutions for Zerto Virtual Replication to Azure. IPSec Configuration Guide

Sophos Firewall Configuring SSL VPN for Remote Access

Teldat Secure IPSec Client - for professional application Teldat IPSec Client

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

VPN2S. Handbook VPN VPN2S. Default Login Details. Firmware V1.12(ABLN.0)b9 Edition 1, 5/ LAN Port IP Address

Virtual Private Networks

Securepoint Security Systems Version 2007nx Release 3 & NCP Secure Entry Client

Configuring Easy VPN Services on the ASA 5505

Proxicast VPN Client v6.x

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

SonicOS Enhanced Release Notes

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

How to Configure a Client-to-Site L2TP/IPsec VPN

July 9, Installation Guide

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Chapter 5 Virtual Private Networking

SET UP VPN FOR WINDOWS 10

Data Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology

VPN Configuration Guide. NETGEAR FVS318v3

Administrator's Guide

Configuring OpenVPN on pfsense

DPI-SSL. DPI-SSL Overview

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

VPN Configuration Guide. NETGEAR FVG318 / FVS318G / FVS336G / FVS338 / DGFV338 FVX538 / SRXN3205 / SRX5308 / ProSecure UTM Series

Table of Contents 1 IKE 1-1

Service Managed Gateway TM. Configuring IPSec VPN

Virtual Tunnel Interface

Administrator's Guide

VPN Tracker for Mac OS X

Business Connect Secure Remote Access Service (SRAS) Customer Information Package

Administrator's Guide

2.0 2-Aug Complete rewrite for new release of Service Portal

How to Configure SSL Interception in the Firewall

Series 1000 / G Cellular Modem / Router. Firmware Release Notes

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Configuration Summary

Configuring a Hub & Spoke VPN in AOS

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

R&S GP-U gateprotect Firewall How-to

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

FreeSWAN with Netgear ProSafe VPN Client

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Netscreen Remote VPN To Netscreen Device With XAuth

Transcription:

IKEv2 Roadwarrior VPN thuwall 2.0 with Firmware 2.2.6 & 2.3.4

Revision History Revision Date Author Description 1.0 05. July 2017 Tom Huerlimann Initial Release 1.1 06. July 2017 Tom Huerlimann Corrections Page 2 of 19

Index 1.0 Scope of document... 4 2.0 Requirements... 4 3.0 VPN Server... 4 3.1 Firewall... 4 3.1.1 Allow ISAKMP... 4 3.1.2 Allow IPsec NAT-T... 4 3.1.3 Allow traffic from IPsec... 4 3.2 Certificates... 5 3.2.1 Create the CA certificate... 5 3.2.2 Create the server certificate... 5 3.2.3 Create the user certificate... 5 3.2.4 Download the certificates... 6 3.3 Configure the VPN... 6 3.3.1 Mobile Clients... 6 3.3.2 Phase 1... 6 3.3.3 Phase 2... 7 4.0 Windows Client... 7 4.1 Install certificates... 7 4.1.1 Import Certificate Authority... 7 4.1.2 Import User Certificate... 9 4.2 Setup VPN connection... 12 4.3 Configure VPN connection... 13 4.4 Enable AES256, DH2048 for Phase 1... 15 4.5 Enable AES256, ECP256 for Phase 2... 16 4.6 Connect to VPN server... 16 5.0 Apple ios... 17 5.1 Install certificates... 17 5.1.1 Import Certificate Authority... 17 5.1.2 Import User Certificate... 17 5.2 Setup VPN connection... 18 5.3 Connect to VPN server... 19 Page 3 of 19

1.0 Scope of document This document describes IPSec IKEv2 configuration of the thuwall 2.0 as VPN server and Windows 10/IOS 10 as VPN clients. 2.0 Requirements - thuwall 2.0 with static IP address is required. - thuwall 2.0 with firmware 2.2.6 and 2.3.4-1 are supported. - Microsoft Windows 7, 8, 8.1, 10 are supported. - Apple ios 10.3.2 is supported. - Administrative access to thuwall 2.0 and client devices are required. - Linux or Windows system with OpenSSL installed - Microsoft OneDrive account or Apple Mail configured 3.0 VPN Server Login to your thuwall 2.0 by opening the IP-address in your web-browser: 3.1 Firewall https://<ip-address> To be able to establish IPSec connections to thuwall 2.0 we need to allow a few ports, this settings should be already configured by default so make sure the settings are still present, if not then add them. 3.1.1 Allow ISAKMP Open Firewall Rules and click Add Action: Pass Disabled: Interface: WAN Address Family: IPv4 Protocol: UDP Source: any Destination: any Destination Port Range: From ISAKMP (500) To ISAKMP (500) Log: Description: ISAKMP 3.1.2 Allow IPsec NAT-T Open Firewall Rules and click Add Action: Pass Disabled: Interface: WAN Address Family: IPv4 Protocol: UDP Source: any Destination: any Destination Port Range: From IPsec NAT-T (4500) To IPsec NAT-T (4500) Log: Description: IPsec NAT-T 3.1.3 Allow traffic from IPsec If you cannot see the option IPSec then come back after you have completed the whole chapter 3.0. Open Firewall Rules IPsec and click Add Action: Disabled: Interface: Address Family Pass IPsec IPv4 Page 4 of 19

Protocol: Source: Destination: Log: Description Any any any Allow Everything Save the settings. 3.2 Certificates 3.2.1 Create the CA certificate Open System Cert Manager CA s and click the + to add a new CA. Descriptive Name: YourCompany VPN Certificate Authority Method: Create an internal Certificate Authority Key length: 2048 Digest Algorithm: sha256 Lifetime (days): 9200 Country Code: CH State or Province: ZH City: Buelach Organization: YourCompany Organizational Unit: IT-Datacenter Email Address: your_address@your_domain.com Common Name: YourCompany VPN Certificate Authority Save the certificate 3.2.2 Create the server certificate Open System Cert Manager Certificates and click the + to add a new certificate. Method: Create an internal certificate Descriptive Name: YourCompany VPN Server Certificate Certificate Authority: YourCompany VPN Certificate Authority Key length: 2048 Digest Algorithm: sha256 Certificate Type: Server Certificate Lifetime (days): 3650 Country Code: CH State or Province: ZH City: Buelach Organization: YourCompany Organizantional Unit: IT-Datacenter Email-Adresse: your_address@your_domain.com Common Name: [External DNS name of the thuwall 2.0] Add an alternative Name: Type: DNS Value: [External DNS name of the thuwall 2.0 (yes, the same as the CN above)] Add another alternative Name: Type: DNS Value: [External IP address of the thuwall 2.0 (yes, the same as the CN above)] Save the certificate 3.2.3 Create the user certificate Only one here of course, and the 'person' is called 'user' but you should make a certificate for every user of the VPN and replace 'user' with a reasonable username. Open System Cert Manager Certificates and click the + to add a new certificate. Method: Create an internal certificate Descriptive Name: YourCompany VPN User Certificate Certificate Authority: YourCompany VPN Certificate Authority Key length: 2048 Digest Algorithm: sha256 Page 5 of 19

Certificate Type: User Certificate Lifetime (days): 3650 Country Code: CH State or Province: ZH City: Buelach Organization: YourCompany Organizantional Unit: IT-Datacenter Email-Adresse: your_address@your_domain.com Common Name: vpn (replace with valid username if there's to be multiple users) Add an alternative Name: Type: DNS Value: vpn (same value as the Common Name) Save the certificate 3.2.4 Download the certificates - Switch to the CA tab, click the arrow for "export CA cert" - Switch to the Certificates tab. For the server cert, click the arrow for "export cert". - For the user cert, click both the "export cert" arrow and the "export key" arrow. Create a PKCS12 container for the user cert with the command line on a system with OpenSSL installed: openssl pkcs12 -export -in usercert.crt -inkey usercert.key -out usercert.p12 (Take a note of the password for the private key to allow you to import it, see chapter 4.1.2 & 5.1.2) 3.3 Configure the VPN This part should be familiar. Delete any Mobile Client Tunnel if you have one. Open VPN IPsec Tunnels Only firmware 2.2.6: 3.3.1 Mobile Clients Open VPN IPsec Mobile clients Ensure "Enable IPsec" is ticked. IKE Extensions: Checked User Authentication: Local Database Group Authentication: system Virtual Address Pool: Checked: Provide and give a suitable private IP scope, one that isn't your LAN Virtual IPv6 Address (..): Network List: Save Xauth Password: DNS Default Domain: Checked and set the domain name of VPN LAN Split DNS: DNS Servers: Checked: Specify your LAN DNS server IP WINS Servers: (check if required in your environment) Phase2 PFS Group: Login Banner: Feel free to add one if you like Save the settings. Apply the changes and click the "Create Phase 1" banner button. 3.3.2 Phase 1 Disabled: KeyExchange version: IKEv2 Internet Protocol: IPv4 Interface WAN Description: Mobile Clients Authentication Method: EAP-TLS My identifier: Distinguished Name. Set the value to the DNS of the thuwall 2.0, the same as you used when making the server certificate Page 6 of 19

Peer identifier: Any My Certificate: YourCompany VPN Server Certificate Peer Certificate Auth(..): YourCompany VPN Certificate Authority Encryption algorithm: AES256 Hash algorithm: SHA256 DH key group: 14 Lifetime: 28800 Disable rekey: Disable Reauth: Responder Only: Checked MOBIKE: Enabled Split Connections: Dead Peer Detection: Checked Delay: 10 Max failures: 5 Save the phase 1. Apply the changes. 3.3.3 Phase 2 Expand the Mobile Client phase 1 and click the + to add the phase 2 Disabled Mode: Tunnel IPv4 Local Network: Type: Network Address: 0.0.0.0 / 0 NAT/BINAT: Type: None Description: Mobile Clients Protocol: ESP Encryption algorithms: AES256 Hash algorithms: SHA256 PFS key group: 19 Lifetime: 86400 seconds Save the phase 2. Apply the changes. 4.0 Windows Client 4.1 Install certificates Make sure you have your certificates from chapter 3.2.1 and 3.2.3 available. 4.1.1 Import Certificate Authority Before you start, make sure you are logged on to Windows as user with administrative privileges. Right click on YourCompany+VPN+Certificate+Authority.crt certificate and select Install Certificate. Page 7 of 19

Select Open if a Security Warning pops up. Select Local Machine as Store Location and click Next. Select Place all certificates in the following store and browse to Trusted Root Certificate Authorities. Confirm with OK and click Next to proceed. Page 8 of 19

Click Finish to close the certificate import wizard. Click OK if successful. 4.1.2 Import User Certificate Before you start, make sure you are logged on to Windows as the user who want to use the VPN connection afterwards. Right click on YourCompany+VPN+User+Certificate.crt certificate and select Install PFX. Page 9 of 19

Select Current User as Store Location and click Next. Make sure the correct file is selected and click Next. Page 10 of 19

Enter the password you ve specified in chapter 3.2.4, mark the key as exportable and include all extended properties. Hint: To increase the security of your VPN tunnel, do not mark the key as exportable, in this case make sure you have safely stored your user certificate file. Select Place all certificates in the following store and browse to Personal. Confirm with OK and click Next to proceed. Page 11 of 19

Click Finish to close the certificate import wizard. Click OK if successful. 4.2 Setup VPN connection Right click the network icon in the task bar and select Open Network and Sharing Center. Click on Set up a new connection or network Page 12 of 19

Select Connect to a worklplace and click Next to proceed. Select Use my Internet connection (VPN) Enter the DNS name of the thuwall 2.0, in our setups normally vpn.yourdomain.com. Remember my credentials can be checked and Allow other people use this connection should be checked as well. Hint: For every person who want to use this connection you have to repeat chapter 4.1.2. 4.3 Configure VPN connection Page 13 of 19

Right click the network icon in the task bar and select Open Network and Sharing Center. Click Change adapter settings on the left side of the window. Right click your VPN connection and select Properties. Register General : Make sure the DNS name of the thuwall 2.0 is configured. Register Options : Make sure Idle time before hanging up: Is set to never. Page 14 of 19

Register Security : Make sure IKEv2 is selected. Data encryption is set to Maximum strength encryption and Authentication has been set to Microsoft: Smart Card or other certificate. Certificate Properties: Configure the settings as visible on the screenshot, make sure you select the Certificate Authority you ve imported in chapter 4.1.1 Remove the checkbox from Internetprotocol, Version 6 (TCP/IPv6) and keep the default settings on the register Sharing. Click OK to save and exit. 4.4 Enable AES256, DH2048 for Phase 1 Windows only supports weak cypher algorithms by default. We need to enable AES256 and DH Group 14 for phase 1. Add following setting to the registry of your client [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters] "NegotiateDH2048_AES256"=dword:00000002 Value IKEv2 Security L2TP\IPsec (i.e., IKEv1) None MM: IKE-DH2-3DES-SHA1 QM: ESP-3DES-SHA1(HMAC) MM: IKE-DH2-3DES-SHA1 QM: ESP-3DES-SHA1(HMAC) 0 MM: IKE-DH2-3DES-SHA1 QM: ESP-3DES-SHA1(HMAC) 1 MM: IKE-DH14-AES256- SHA1 QM: AES256-SHA1(HMAC) 2 M: IKE-DH14-AES256- SHA256 QM: AES256-SHA1(HMAC) MM: IKE-DH2-3DES-SHA1 QM: ESP-3DES-SHA1(HMAC) MM: DH14-SHA1-AES128 QM: AES128-SHA1 MM: DH14-SHA1-AES128 QM: AES128-SHA1 Page 15 of 19

4.5 Enable AES256, ECP256 for Phase 2 HINT: This chapter has to be repeated every time a setting has been changed on the VPN connection! Windows only supports weak cypher algorithms by default. We need to enable AES256 and DH Group 19 for phase 1. Execute following PowerShell command line as user with administrative privileges: Search by powershell, right click Windows PowerShell and select Run as administrator. After PowerShell was launched, enter following command. Please make sure your replace -ConnectionName with the name of your connection (see Destination Name of chapter 4.2). Set-VpnConnectionIPsecConfiguration -ConnectionName "YourCompany GmbH" - AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup ECP256 - PfsGroup ECP256 -PassThru -AllUserConnection 4.6 Connect to VPN server Page 16 of 19

Click the network icon on the task bar and select your new VPN connection. If you get asked for the certificate you want to use, then select the certificate you ve installed in chapter 4.1.2, normally the user certificate is called vpn. Click OK to connect. 5.0 Apple ios 5.1 Install certificates Make sure you have your certificates from chapter 3.2.1www.p and 3.2.3 uploaded to OneDrive. 5.1.1 Import Certificate Authority Start your Safari web browser on your iphone and connect to OneDrive (do not use the One Drive App for iphone!). Open: http://onedrive.live.com Touch YourCompany+VPN+Certificate+Authoirty.crt file. It will be opened with iphones Certificate Installer. Select the Certificate Authority certificate, the iphone certificate installer will be launched, select Install to install the CA. After the installation is complete, select Done. You will be redirected to OneDrive. 5.1.2 Import User Certificate Page 17 of 19

Start your Safari web browser on your iphone and connect to OneDrive (do not use the One Drive App for iphone!). Open: http://onedrive.live.com Select the user certificate, the iphone certificate installer will be launched, select Install to install the user certificate. Enter the password you ve specified in chapter 3.2.4 and select Next. After the installation is complete, select Done. You will be redirected to OneDrive. 5.2 Setup VPN connection Goto Settings General VPN Page 18 of 19

Select Add VPN Configuration and enter the detais: Type: IKEv2 Server: DNS name of thuwall 2.0 Remote ID: DNS name of thuwall 2.0 Local ID: Common Name of user certificate, normally vpn User Auth(..): Certificate Certificate: Common Name of user certificate, normally vpn Select Done to save. 5.3 Connect to VPN server Goto Settings VPN Select the connection you want to connect to and use the tickbox next to Status to establish the connection. Page 19 of 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback