IPsec Remote Access VPN Example Using IKEv2 with EAP-TLS¶
Mobile IPsec using IKEv2 with EAP-TLS enables per-user certificate authentication. To authenticate against the VPN, a user must have a valid certificate signed by a specific certificate authority (CA).
The basic setup is similar to IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2, this document will focus on the differences.
Setup Certificates¶
Per-user certificate authentication requires a certificate for the server and a set of certificates the clients.
Note
While these do not have to share the same SA, it makes the process easier.
Create a Certificate Authority¶
If one is not already available, then the first task is to create a new Certificate Authority as described in Create a Certificate Authority.
Create a Server Certificate¶
Create a server certificate as described in Create a Server Certificate.
Create Client Certificates¶
Navigate to System > Cert Manager, Certificates tab
Click
to create a new certificate
Set the options as follows:
- Method
Create an internal Certificate
- Descriptive Name
A name associated with the client, for example
client1
.This is cosmetic only, so it does not affect values placed in the certificate data.
- Certificate Authority
Mobile IPsec CA
- Common Name
The username associated with this user, for example
client1
.Note
The best practice is to use identifiers in username, hostname, or FQDN formats for this field.
- Certificate Type
User Certificate
Change the other fields if desired to make the information more specific to the user.
Click Save
Repeat as needed for additional clients.
Set up Mobile IPsec for IKEv2+EAP-TLS¶
With the certificate structure prepared, the next task is to configure the necessary IPsec settings.
Most of this configuration is identical to IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 and only the differences will be called out.
Mobile Clients¶
Configure as described in Mobile Client Settings.
Add Firewall Rules for IPsec¶
Add firewall rules to pass traffic from clients as described in Firewall Rules.
Configure the Client¶
The server setup is complete, but the certificates must be imported to the client.
Client configuration for a variety of operating systems is covered in Configuring IPsec IKEv2 Remote Access VPN Clients. (e.g. Configuring IPsec IKEv2 Remote Access VPN Clients on Windows).