Roaming Windows 10 IKEv2 with NetWall as CA server

Security Gateway Articles and How to's
Post Reply
Siby
Posts: 6
Joined: 03 Sep 2010, 08:16
Location: Clavister HQ - Örnsköldsvik

Roaming Windows 10 IKEv2 with NetWall as CA server

Post by Siby » 25 Mar 2020, 19:15

This how-to applies to:
  • Clavister cOS core 12.x and up
Objectives with this article:
This How-to will provide the steps of how to fully configure IKEv2 roaming client by generate the gateway and root certificate using Clavister firewall and windows VPN client without any third party.

Please note. This article is still work in progress, but the process works. We will update with more explanations soon.
Topics covered in this how-to:
1. How to generate CA certificate using NetWall WebUI.
2. How to generate CA signed Gateway certificate using NetWall WebUI.
3. How to set up roaming IKEv2 tunnel using Simplified Roaming IPsec profile.
3.1. How to Configure the DNS client.
4. How to set up Windows built-in VPN client.

1. How to generate CA certificate using NetWall WebUI
To generate the CA certificate, go to "Objects->Key Ring->Add->Certificate->Generate Certificate->Configure":

1.0.1.jpg
1.0.1.jpg (33.23 KiB) Viewed 5031 times
Figure 1.0.1 Configure the CA certificate

(1) Configure the CA certificate.

1.1.1.jpg
1.1.1.jpg (30.73 KiB) Viewed 5031 times
Figure 1.1.1 Generate the CA certificate

Warning: Generating certificates is very CPU intensive, generating the below certificates causes an E10 to stall for about 5 seconds.

(2) Input the certificate type as CA certificate.
(3) Replace the subject name with something suitable for the organization.
(CN= common name, OU=organizational unit, O=company name, L=province, C=country).
(4) Choose the public key type, in this example we will be using RSA with key size of 2048 bits.
(5) Choose the suitable signature algorithm for configuration, in this example we will be using SHA-512. This should result in a certificate like the
following Figure 1.2.1.
(6) Generate CA certificate.

1.2.1.jpg
1.2.1.jpg (49.98 KiB) Viewed 5031 times
Figure 1.2.1 Download the CA certificate

(7) Disable CRL checks (we cannot act as CRL).
(8) Please Download and save the certificate for later, this needs to be loaded to the Windows clients certificate store.
Important: Only the certificate, not the key.

2. How to generate CA signed Gateway certificate using NetWall WebUI
To generate the CA signed gateway certificate, go to "Objects->Key Ring->Add->Certificate->Generate Certificate->Configure":

2.0.1.jpg
2.0.1.jpg (33.23 KiB) Viewed 5031 times
Figure 2.0.1 Configure the gateway certificate

(1) Configure the gateway certificate.

2.1.1.jpg
2.1.1.jpg (36.17 KiB) Viewed 5031 times
Figure 2.1.1 Generate the gateway certificate

(2) Select the certificate type as End-Entity certificate.
(3) Replace subject name with something suitable for the organization, please note the CN and Subject Alternative Name needs to resolve to the
public IP of the IKEv2 Server (the firewall). This should result in a certificate like the following Figure 2.2.
(4) Very important: to enable the IKE Authentication option in the gateway certificate.
(5) Generate the gateway certificate.

2.2.1.jpg
2.2.1.jpg (51.69 KiB) Viewed 5031 times
Figure 2.2.1 The gateway certificate information

(6) Disable CRL checks (we cannot act as CRL).

3. How to set up roaming IKEv2 tunnel using Simplified Roaming IPsec profile
To set up the IKEv2 server interface. Go to "Network->Interfaces and VPN->VPN AND TUNNELS->IPsec->Add->Roaming VPN (Simplified)":

3.0.1.jpg
3.0.1.jpg (55.86 KiB) Viewed 5031 times
Figure 3.0.1 Setup the IKEv2 server interface

(1) Enter the pre-defined IP Pool object is a dynamic object which consists of IP leases.
(2) DNS address is the address of the DNS server we want the connected IKEv2 roaming client to use. We will use our external DNS server that we
received from our ISP, but it might as well be an internal DNS server, it will be up to the administrator depending on the scenario.
(3) Select the IKEv2 gateway certificate.
(4) Select the pre-defined CA certificate as root certificate.
(5) A local User Database means that the user database is stored in the cOS Core configuration file directly without the need to contact any
external server as with Radius or LDAP. By default there exists one pre-defined local data base called“AdminUsers”. This database is the
database used when connecting to cOS Core using SSH or the WebUI. We can use this database if we so choose, but it would be much better to
create a new local database that is specifically used for our roaming clients (also we do not want our VPN users to be able to login to the WebUI
of the Firewall).

3.1. How to Configure the DNS client
Go to "System->DEVICE SETTINGS->DNS”:

3.1.1.jpg
3.1.1.jpg (21.45 KiB) Viewed 5031 times
Figure 3.1.1 Configure the DNS client settings.

To accomplish DNS resolution, cOS Core has a built-in DNS client that can be configured to make use of up to three IPv4 and/or IPv6 DNS servers. These are called the Primary Server, the Secondary Server and the Tertiary Server. For DNS to function, at least the one (the primary) server must be configured. It is recommended to have at least two servers (a primary and a secondary) defined so that there is always a backup server available.

4. How to set up Windows built-in VPN client
We need to create the new VPN connection as shown by the following picture:

4.0.1.jpg
4.0.1.jpg (46.91 KiB) Viewed 5031 times
Figure 4.0.1 Setup windows built-in VPN client

(1) Select windows (built-in) as VPN provider.
(2) Important: Put the pre-defined VPN server name as written in subject alternative name in gateway certificate Figure 2.1.1.
(3) Select IKEv2 as VPN type.
(4) Select user name and password as a type of authentication and use the pre-defined user from local user database (IKEv2-users) you have
created.

Important: Remember to add the CA certificate which downloaded before in Figure 1.2.1 to the local client computer using microsoft managements as following https://support.securly.com/hc/en-us/ar ... on-Windows

Post Reply