This article will look at IKEv2 client-to-site and how to set it up in various scenarios and OS [USG FLEX / ATP / VPN Series]
Certificate, Windows, IOS, macOS, Android, IPSEC Client, Configuration Provisioning, 2FA, Active Directory.
Table of Content
What is IKEv2? (General Information about IKEv2)
1) Setup of IKEv2 with Default Profile (FLEX)
1.1 Configure IKEv2 VPN Connection & Gateway
1.2 Add the VPN users
2) Configure IKEv2 on the VPN client
2.1 IKEv2 with Android and IOS
2.2 IKEv2 with macOS
2.3 IKEv2 with Legacy SecuExtender IPsec Client (3.8)
3) Configure Two-Factor [2FA] Authentication [Google]
4) If something goes wrong
What is IKEv2? (General Information about IKEv2)
The abbreviation IKEv2 stands for Internet Key Exchange Protocol Version 2.
The protocol is used for key management in IPsec-based virtual private networks (VPNs) and eliminates weaknesses of the previous version IKE.
IKEv2 is not compatible with IKE and replaces the older version.
The key features of IKEv2
Briefly summarized, these are the critical features of IKEv2:
Reduced complexity
More straightforward and less error-prone configuration
Faster connection establishment
Faster tunnel reconstruction after network failures
Elimination of typical NAT problems
Fewer problems with dynamic IP addresses
Standardized in a single RFC
Support for mobile applications in IPsec VPNs
Not backwards compatible with IKE
It uses the same UDP port as IKE
https://www.security-insider.de/was-ist-ikev2-a-781374/
1) Setup of IKEv2 with Default Profile (FLEX)
To use IKEv2, we must first add a Gateway and Connection to our Firewall.
In this case, we are using a USG FLEX.
Please note that we recommend choosing the highest possible encryption (possible to be used by your device).
1.1 Configure IKEv2 VPN Connection & Gateway
Configuration > VPN > IPSec VPN > VPN Gateway > Add
Here we need to add a VPN Gateway first (Phase 1).
1) Enable the Gateway and give it a name.
2) Choose IKE Version 2
3) Choose Certificate "default"
Configuration > VPN > IPSec VPN > VPN Connection > Add
Now we need to add the Connection (Phase 2)
1) Enable the New Connection
2) Give it a Name
3) Choose Remote access (Server Role)
4) Choose the Gateway (Phase 1) that we created before
5) As per local policy, we choose the network we want to access.
1.2 Add the VPN users
Add the VPN user(s) to a VPN user group for easier VPN management
2) Configure IKEv2 on the VPN client
2.1 IKEv2 with Android and IOS
Please look at this article:
VPN - Configure IKEv2 IPSec with Certificate on Android / iPhone iOS / Windows / MacOS
2.2 IKEv2 with macOS
Please look at this article:
VPN - Configure IKEv2 IPSec with Certificate on Android / iPhone iOS / Windows / MacOS
2.3 IKEv2 with Legacy SecuExtender IPsec Client (3.8)
Remember that the legacy IPsec SecuExtender is EoL since 30 April 2023 - for more information, look at this article:
SecuExtender VPN - Perpetual License End of Life [EoL] / Phase Out [Annoucement]
Local ID = Certificate Common Name (Default Certificate)
The Tunnel is now open and ready to use.
An easier way to configure the client is described here: IKEv2 - Configuration Provisioning on Windows, Mac
2.4 IKEv2 with New SecuExtender IPsec Client [Windows / MacOS]
For more information, please look at this article:
VPN - Configure IKEv2 VPN with Certificate using SecuExtender IPSec VPN Client
First, we need to set up the "Configuration Provisioning."
Configuration > VPN > IPSec VPN > Configuration Provisioning
Please note! If you change the Provisioning Port, make sure to allow the Traffic from WAN to Device in the Firewall!
Then we need to set up the "configuration Payload".
Configuration > VPN > IPSec VPN > VPN Connection > Edit
In the IPSec VPN Client, go to:
Configuration > Get from Server
Now we put in the needed credentials, and click on "Next".
We now successfully retrieved the configuration.
We can now go on and open the tunnel.
3) Configure Two-Factor [2FA] Authentication [Google]
Configuration > VPN > IPSec VPN > VPN Gateway
Configuration > Object > User/Group > Edit User > Two-Factor Authentication
If you use 2FA by Mail/SMS, you need to set up an Mailserver on the device.
Configuration > System > Notification
Configuration > Object > Auth. Method
Please make sure to allow The "Authorisation Port" in the Firewall "WAN to Device".
4) If something goes wrong
Make sure that you have these two services are running on your Windows PC.
Press Windows button + R:
Write "services.msc" and click ok:
Make sure that the IKE and IPSec Policy is started:
VPN Tunnel is established but the computer has no internet:
-
By default, the Windows IKEv2 VPN client will try to send all traffic through the tunnel, internet traffic will seize while the VPN connection is active. A routing policy (Policy route) needs to be added to the USG to allow the IKEv2 VPN traffic to access the WAN connection for internet traffic.
Therefore, make sure DNS entries were added for the VPN users. To check this, go to Configuration -> VPN -> IPSec VPN -> VPN Connection and edit the IKEv2 rule and check the "Configuration Payload" setup.
- Make sure you have the latest firmware version on your firewall
Comments
0 commentsPlease sign in to leave a comment.