IPsec Remote Access VPN Example Using IKEv2 with EAP-TLS¶
Mobile IPsec using IKEv2 with EAP-TLS enables per-user certificate authentication. To authenticate against the VPN, a user must have a valid certificate signed by a specific certificate authority (CA).
The basic setup is similar to IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2, this document will focus on the differences.
Per-user certificate authentication requires a certificate for the server and a set of certificates the clients.
While these do not have to share the same SA, it makes the process easier.
Create a Server Certificate¶
Create a server certificate as described in Create a Server Certificate.
Create Client Certificates¶
Navigate to System > Cert Manager, Certificates tab
Click to create a new certificate
Set the options as follows:
Create an internal Certificate
- Descriptive Name
A name associated with the client, for example
This is cosmetic only, so it does not affect values placed in the certificate data.
- Certificate Authority
Mobile IPsec CA
- Common Name
The username associated with this user, for example
The best practice is to use identifiers in username, hostname, or FQDN formats for this field.
- Certificate Type
Change the other fields if desired to make the information more specific to the user.
Repeat as needed for additional clients.
Set up Mobile IPsec for IKEv2+EAP-TLS¶
With the certificate structure prepared, the next task is to configure the necessary IPsec settings.
Most of this configuration is identical to IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 and only the differences will be called out.
Configure as described in Phase 1 but with the following changes:
- Authentication method
- Peer Identifier
- Peer Certificate Authority
Select the CA created previously for this purpose.
Add Firewall Rules for IPsec¶
Add firewall rules to pass traffic from clients as described in Firewall Rules.
Configure the Client¶
The server setup is complete, but the certificates must be imported to the client.
Client configuration for a variety of operating systems is covered in Configuring IPsec IKEv2 Remote Access VPN Clients. (e.g. Configuring IPsec IKEv2 Remote Access VPN Clients on Windows).