VPN - Configure IKEv2 with Certificate [On-Premise Firewall with 2FA]

This article will look at IKEv2 client-to-site and how to set it up in various scenarios and OS [USG FLEX / ATP / VPN Series]
Certificate, Windows, IOS, macOS, Android, IPSEC Client, Configuration Provisioning, 2FA, Active Directory.

 

Table of Content

What is IKEv2? (General Information about IKEv2)

1) Setup of IKEv2 with Default Profile (FLEX)

1.1 Configure IKEv2 VPN Connection & Gateway

1.2 Add the VPN users

2) Configure IKEv2 on the VPN client

2.1 IKEv2 with Android and IOS

2.2 IKEv2 with macOS

2.3 IKEv2 with Legacy SecuExtender IPsec Client (3.8)

3) Configure Two-Factor [2FA] Authentication [Google]

4) If something goes wrong

 

 

 

What is IKEv2? (General Information about IKEv2)

The abbreviation IKEv2 stands for Internet Key Exchange Protocol Version 2.

The protocol is used for key management in IPsec-based virtual private networks (VPNs) and eliminates weaknesses of the previous version IKE.

IKEv2 is not compatible with IKE and replaces the older version.

 

The key features of IKEv2
Briefly summarized, these are the critical features of IKEv2:

Reduced complexity
More straightforward and less error-prone configuration
Faster connection establishment
Faster tunnel reconstruction after network failures
Elimination of typical NAT problems
Fewer problems with dynamic IP addresses
Standardized in a single RFC
Support for mobile applications in IPsec VPNs
Not backwards compatible with IKE
It uses the same UDP port as IKE

https://www.security-insider.de/was-ist-ikev2-a-781374/

 

1) Setup of IKEv2 with Default Profile (FLEX)

To use IKEv2, we must first add a Gateway and Connection to our Firewall.
In this case, we are using a USG FLEX.

Please note that we recommend choosing the highest possible encryption (possible to be used by your device).

 

1.1 Configure IKEv2 VPN Connection & Gateway

Configuration > VPN > IPSec VPN > VPN Gateway > Add

Here we need to add a VPN Gateway first (Phase 1).

mceclip1.png

 

1) Enable the Gateway and give it a name.

2) Choose IKE Version 2

3) Choose Certificate "default"

mceclip2.png

 

Configuration > VPN > IPSec VPN > VPN Connection > Add

Now we need to add the Connection (Phase 2)

mceclip3.png

 

1) Enable the New Connection

2) Give it a Name

3) Choose Remote access (Server Role)

4) Choose the Gateway (Phase 1) that we created before

5) As per local policy, we choose the network we want to access.

mceclip4.png

 

1.2 Add the VPN users

mceclip0.png

 

mceclip1.png

 

mceclip2.png

 

Add the VPN user(s) to a VPN user group for easier VPN management

group_add_user.gif

 

mceclip3.png

 

mceclip4.png

 

mceclip5.png

 

mceclip5.png

 

mceclip6.png

 

mceclip7.png

 

2) Configure IKEv2 on the VPN client

 

2.1 IKEv2 with Android and IOS

Please look at this article:

VPN - Configure IKEv2 IPSec with Certificate on Android / iPhone iOS / Windows / MacOS

 

2.2 IKEv2 with macOS

Please look at this article:

VPN - Configure IKEv2 IPSec with Certificate on Android / iPhone iOS / Windows / MacOS

 

2.3 IKEv2 with Legacy SecuExtender IPsec Client (3.8)

Remember that the legacy IPsec SecuExtender is EoL since 30 April 2023 - for more information, look at this article: 

SecuExtender VPN - Perpetual License End of Life [EoL] / Phase Out [Annoucement]

 

mceclip0.gif

 

mceclip1.png

 

mceclip2.png

 

Local ID = Certificate Common Name (Default Certificate)
mceclip3.gif

 

mceclip4.gif

 

mceclip5.png

 

mceclip6.gif

 

mceclip7.png

 

mceclip8.png

 

mceclip9.png

 

The Tunnel is now open and ready to use.
An easier way to configure the client is described here: IKEv2 - Configuration Provisioning on Windows, Mac

 

2.4 IKEv2 with New SecuExtender IPsec Client [Windows / MacOS]

For more information, please look at this article:

VPN - Configure IKEv2 VPN with Certificate using SecuExtender IPSec VPN Client

 

First, we need to set up the "Configuration Provisioning."

Configuration > VPN > IPSec VPN > Configuration Provisioning

Please note! If you change the Provisioning Port, make sure to allow the Traffic from WAN to Device in the Firewall!

mceclip0.png

 

Then we need to set up the "configuration Payload".

Configuration > VPN > IPSec VPN > VPN Connection > Edit

mceclip4.png

 

In the IPSec VPN Client, go to:

Configuration > Get from Server

mceclip1.gif

 

Now we put in the needed credentials, and click on "Next".
mceclip2.png

We now successfully retrieved the configuration.
mceclip3.png


We can now go on and open the tunnel.

mceclip7.png

 

mceclip8.png

 

mceclip9.png

 

3) Configure Two-Factor [2FA] Authentication [Google]

 

Configuration > VPN > IPSec VPN > VPN Gateway

mceclip5.png

 

Configuration > Object > User/Group > Edit User > Two-Factor Authentication

mceclip6.png

 

If you use 2FA by Mail/SMS, you need to set up an Mailserver on the device.

Configuration > System > Notification

mceclip7.png

 

Configuration > Object > Auth. Method

Please make sure to allow The "Authorisation Port" in the Firewall "WAN to Device".

mceclip8.png

 

4) If something goes wrong

Make sure that you have these two services are running on your Windows PC.

 

Press Windows button + R:

Write "services.msc" and click ok:

 

Make sure that the IKE and IPSec Policy is started:

 

VPN Tunnel is established but the computer has no internet:

  • By default, the Windows IKEv2 VPN client will try to send all traffic through the tunnel, internet traffic will seize while the VPN connection is active. A routing policy (Policy route) needs to be added to the USG to allow the IKEv2 VPN traffic to access the WAN connection for internet traffic.

    Therefore, make sure DNS entries were added for the VPN users. To check this, go to Configuration -> VPN -> IPSec VPN -> VPN Connection and edit the IKEv2 rule and check the "Configuration Payload" setup.

image077.jpg

  • Make sure you have the latest firmware version on your firewall

 

 

Articles in this section

Was this article helpful?
3 out of 3 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.