Configuring IPsec IKEv2 Remote Access VPN Clients on Windows¶
The ipsec-profile-wizard package on pfSense® Plus software generates a set of files which can automatically import VPN settings into Apple macOS and iOS (VPN > IPsec Export: Apple Profile) as well as Windows clients (VPN > IPsec Export: Windows).
This feature allows much greater flexibility in settings as it will configure clients to match what is set on the server specifically rather than making the server accommodate the default settings on various operating systems.
This package is exclusive to pfSense® Plus software and is not available on the community edition.
If the package is not already installed, add it using the Package Manager.
Windows 8 and newer easily support IKEv2 VPNs. Windows 7 supports them as well though the processes are slightly different. The procedure in this section was performed on Windows 10 20H2 but earlier versions are similar.
The procedure to import certificates to Windows 7 can be found on the strongSwan Wiki
Import the CA to the Client (All EAP types)¶
This step is necessary for all EAP types (EAP-MSCHAPv2, EAP-RADIUS, EAP-TLS).
Export the CA Certificate from the pfSense® software GUI and download or copy it to the client PC:
Navigate to System > Cert Manager, Certificate Authorities tab on the firewall
Click by the CA to download only the certificate
Locate the downloaded file on the client PC (e.g. VPNCA.crt) as seen in Figure Downloaded CA Certificate
Double click the CA file
Click Install Certificate… as shown in Certificate Properties
Select Local Machine as shown in Certificate Import Wizard - Store Location
Click Yes at the UAC prompt if it appears
Select Place all Certificates in the following store as shown in Figure Certificate Import Wizard - Browse for the Store
Click Trusted Root Certification Authorities as shown in Figure Select Certificate Store
Review the details, they should match those in Figure Completing the Certificate Import Wizard
Import the CA and Client Certificate to the Client (EAP-TLS Only)¶
This process is only required for EAP-TLS which uses per-user client certificates. For EAP-MSCHAPv2 or EAP-RADIUS, skip to the next section.
Export client certificate from the firewall and download it to the client PC
Navigate to System > Cert Manager, Certificates tab
to edit the user certificate
Enter an Export Password known to the end user which will encrypt the sensitive contents of the archive file
Click Export PKCS#12 to download a
.p12file containing the client certificate and key
Locate the downloaded file on the client PC (e.g.
Double click client certificate
Select Current User
Click Yes at the UAC prompt if it appears
Confirm the proper file is selected
Enter the same Password used when exporting the
Click Yes to confirm adding the certificate data
Setup the VPN Connection¶
Once the certificate has been properly imported it is time to create the client VPN connection. The exact steps will vary depending on the version of Windows being used by the client, but will be close to the following procedure which was perfo
Open Network & Internet Settings on the client PC
Click VPN on the left side
Click + Add a VPN connection
Set the fields as follows:
Example values are shown in Figure Windows IKEv2 VPN Connection Setup Screen:
- VPN Provider
- Connection Name
ExampleCo Mobile VPN
- Server Name or Address
This value must match the contents of the server certificate!
- VPN type
- Type of sign-in info
User name and password for EAP-MSCHAPv2 or EAP-RADIUS
Certificate for EAP-TLS
- Username, Password
Fill in values for this client when using EAP-MSCHAPv2 or EAP-RADIUS. Leave blank to be prompted by Windows.
The connection is now ready to use.
When making the first connection Windows may prompt to approve the server certificate. Check the certificate and then choose to proceed when prompted.
Disable EKU Check¶
When the CA and server certificates are made properly this is not necessary. If an improperly generated server certificate must be used, then the Extended Key Usage check may need to be disabled on Windows.
Disabling this check also disables validation of the certificate common name and SAN fields, so it is potentially dangerous. Any certificate from the same CA could be used for the server when this is disabled, so proceed with caution.
To disable the extended key usage checks:
Open up Registry Editor on the Windows client
Navigate to the following location in the client registry:
Add a new DWORD entry with the following attributes:
Reboot the client PC to ensure the new setting is activated
Advanced Windows IPsec settings¶
With Windows 10 PowerShell cmdlets it is possible to change various advanced settings. The available commands are explained on the Microsoft PowerShell VpnClient module reference.
Enable split tunneling so that the client does not send all of its traffic across the VPN:
PS C:\> Set-VPNconnection -name "ExampleCo Mobile VPN" -SplitTunneling $true
Add a VPN connection route to send a specific subnet through the VPN, use:
PS C:\> Add-VpnConnectionRoute -ConnectionName "ExampleCo Mobile VPN" -DestinationPrefix 10.4.0.0/24
ExampleCo Mobile VPN with the actual connection name, and replace
10.4.0.0/24 with the desired destination network. Repeat the add command for
each network to route over the VPN.
For more information, see PowerShell VpnClient module reference