Using IKEv2 roaming without installing a certificate on the client

Frequently Asked Questions
Post Reply
Peter
Posts: 684
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Using IKEv2 roaming without installing a certificate on the client

Post by Peter » 19 May 2020, 11:05

This FAQ applies to:
  • cOS Core version 13 and up.

Question:
I want to use the IKEv2 client in e.g. Windows, but i do not want to install a certificate on all my clients. Is there a way to bypass this requirement?

Answer:
Using PSK (pre-shared key) for the IKEv2 tunnel in Windows is not possible as it only supports the use of certificates. But if you use a certificate in the Firewall that is already trusted by e.g. Windows, there would be no need to install a separate certificate on the client.

An example would be to use a certificate that is signed by an certificate authority (CA) that is by default trusted by the client (e.g. VeriSign, GeoTrust, Go Daddy etc) similar as to the certificate used on any HTTPS webpage on the Internet. By installing/using such a certificate in the Firewall, it will be by default trusted by the client and there would be no need to install a separate certificate and only a username/password would be needed by the client.

Please note however that the certificate property used in the Firewall still needs to contain the DNS entry for the VPN server in order for the client to be able to connect. The DNS entry must also be able to be resolved to the IP of the Firewall (by the client).

Summary: Depending on the CA used, you may need up to 3 certificates in the Firewall for this to work (Root, Intermediate (if used) and Gateway certificate).

More information about IKEv2 tunnel setup can be found in the admin guide and/or the following How-To's:

viewtopic.php?f=8&t=23423
viewtopic.php?f=8&t=6037
viewtopic.php?f=8&t=5447

Note-1: We assume that no existing trusted certificate authority has been changed/removed on the client machine.
Note-2: Currently we have tested this with ZeroSSL and LetsEncrypt but it may be subject to change. As long as the client machine has the CA in it's trusted list (and that the certficiate can be used by IPSec) it should be fine to use (as long as you also have the DNS entry mentioned above)

Post Reply