IPsec Remote Access VPN Example Using IKEv2 with EAP-TLS

Mobile IPsec using IKEv2 with EAP-TLS enables per-user certificate authentication. To authenticate against the VPN, a user must have a valid certificate signed by a specific certificate authority (CA).

The basic setup is similar to IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2, this document will focus on the differences.

Setup Certificates

Per-user certificate authentication requires a certificate for the server and a set of certificates the clients.

Note

While these do not have to share the same SA, it makes the process easier.

Create a Certificate Authority

If one is not already available, then the first task is to create a new Certificate Authority as described in Create a Certificate Authority.

Create a Server Certificate

Create a server certificate as described in Create a Server Certificate.

Create Client Certificates

  • Navigate to System > Cert Manager, Certificates tab

  • Click fa-plus to create a new certificate

  • Set the options as follows:

    Method

    Create an internal Certificate

    Descriptive Name

    A name associated with the client, for example client1.

    This is cosmetic only, so it does not affect values placed in the certificate data.

    Certificate Authority

    Mobile IPsec CA

    Common Name

    The username associated with this user, for example client1.

    Note

    The best practice is to use identifiers in username, hostname, or FQDN formats for this field.

    Certificate Type

    User Certificate

  • Change the other fields if desired to make the information more specific to the user.

  • Click Save

Repeat as needed for additional clients.

Set up Mobile IPsec for IKEv2+EAP-TLS

With the certificate structure prepared, the next task is to configure the necessary IPsec settings.

Most of this configuration is identical to IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 and only the differences will be called out.

Mobile Clients

Configure as described in Mobile Client Settings.

Phase 1

Configure as described in Phase 1 but with the following changes:

Authentication method

EAP-TLS

Peer Identifier

Any

Peer Certificate Authority

Select the CA created previously for this purpose.

Phase 2

Configure as described in Phase 2.

Add Firewall Rules for IPsec

Add firewall rules to pass traffic from clients as described in Firewall Rules.

Configure the Client

The server setup is complete, but the certificates must be imported to the client.

Client configuration for a variety of operating systems is covered in Configuring IPsec IKEv2 Remote Access VPN Clients. (e.g. Configuring IPsec IKEv2 Remote Access VPN Clients on Windows).