IKEv2 roaming tunnel with certificate using iOS

Security Gateway Articles and How to's
Post Reply
mape
Posts: 41
Joined: 24 Oct 2016, 08:23

IKEv2 roaming tunnel with certificate using iOS

Post by mape » 17 May 2017, 14:51

This how-to applies to:
  • Clavister cOS core 11.x and up

This how-to assumes that you have a working Gateway certificate, root certificate and a RADIUS server, we are using Windows NPS in this guide.

Topics covered in this how-to:
  • The Preparation for the IKEv2 Tunnels
  • The configuration of the NPS to accept the iOS request.
  • The configuration used in the Clavister Next Generation Firewall.
  • IP Policies for both the Simplified and the Regular IKEv2_Roaming Tunnel.
  • Configuring the iOS.
The Preparation for the IKEv2 Tunnels
The four things we need to before we start setting up the tunnel is to prepare the Address book,Config Mode Pool, the algorithms and the RADIUS Server.

First, we create the object that we will use:
IP Addresses Regular IKEv2_Roaming Tunnel.png
IP Addresses Regular IKEv2_Roaming Tunnel.png (5.24 KiB) Viewed 1711 times

Second, we prepare the Config Mode Pool:
Config Mode Pool Regular IKEv2_Roaming Tunnel.png
Config Mode Pool Regular IKEv2_Roaming Tunnel.png (27.85 KiB) Viewed 1721 times
  • 1. Select a fitting name for the Pool, we named it ConfigModePool
    2. Select "Static IP Pool"
    3. Choose the IPsec_range object that we created in the previous step
    4. As our IP Pool is almost covering an entire /24 net, we go with 255.255.255.0 as our netmask.
    5. Here we select Google's DNS (8.8.8.8)

Third, we create the Algorithms for the IPsec Tunnel:
Algorithms Regular IKEv2_Roaming Tunnel.png
Algorithms Regular IKEv2_Roaming Tunnel.png (25.84 KiB) Viewed 1721 times
  • 1. First set a name, we are setting AES-SHA1-512 to represent the algorithms that we are using.
    2. Select AES as encryption algorithms.
    3. As Integrity algorithms we select SHA1 to 512
NOTE: We are using the same algorithms for both the IKE and IPsec Phase.
NOTE2: It's possible to use only SHA256 and higher for the IKE phase, but for the IPsec phase you will need SHA1 as this and MD5 is the only proposals sent by the iOS.


NOTE: If you're using Local User Database the next steps can be skipped.

Fourth, we create the RADIUS Server object:
Radius Server IKEv2_Roaming Tunnel.png
Radius Server IKEv2_Roaming Tunnel.png (27.81 KiB) Viewed 1721 times
(We are using a Windows 2012 R2 server as our RADIUS)
  • 1. Name the Radius Server as you like, we name it Win_12_Radius
    2. Select the IP of the Windows Server/RADIUS server
    3. Enter the shared secret
    4. Confirm the shared secret
NOTE: The other settings are default settings.


NOTE: If you're using Local User Database the next steps can be skipped.

The configuration of the NPS/Windows RADIUS Server to accept the iOS request

There is two things that needs to be done on the NPS in order for this to work.
Connection Request Policy.png
Connection Request Policy.png (45.28 KiB) Viewed 1721 times
1. On the Connection Request Policy, under Settings -> Authentication Methods:
You will need to activate the "Override network policy authentication setting" and add "Microsoft: Secure Password (EAP-MSCHAP v2)" as EAP Types.
Network Policy.png
Network Policy.png (39.42 KiB) Viewed 1721 times
2. On the Network Policy, under Constrains -> Authentication Methods:
Here you add the "Microsoft: Secure Password (EAP-MSCHAP v2)" as EAP Types.


The configuration used in the Clavister Next Generation Firewall.

We will setup both a simplified IPsec Roaming tunnel as well as a regular made IKEv2 IPsec Roaming tunnel.

Let's start with the Simplifies IPsec Roaming Tunnel:
A simplified tunnel is a tunnel that require minimum configuration in order to work, it also hides more advanced settings and it's pre-configured with settings to successfully connect with iOS, macOS and Windows clients using IKEv2 and EAP-MSCHAPv2.

There is seven things to configure in order to get the Simplified tunnel working.
Simplified IKEv2_Roaming Tunnel.png
Simplified IKEv2_Roaming Tunnel.png (41.67 KiB) Viewed 1721 times
  • 1. We Specify the name that we want our IKEv2 IPsec tunnel to be called, we are calling it IKEv2_Roaming_Tunnel
    2. We specifie the IP Pool that we created earlier in this guide
    3. The DNS that the clients will use, we simply specify Googles DNS(8.8.8.8)
    4. The Gateway certificate
    5. The Root certificate
    6. Here we select the authentication source, in this how-to we are using RADIUS, although a Local User database is also fine.
    7. Lastly specify the RADIUS server that we created earlier, or Local User Database if you're using that.


Let's continue with the "Regular" configured IKEv2 Roaming Tunnel:
The Regular configured IKEv2 Roaming tunnel require more configuration and you also see all the advanced options.

General:
General Regular IKEv2_Roaming Tunnel.png
General Regular IKEv2_Roaming Tunnel.png (38.55 KiB) Viewed 1721 times
  • 1. Choose a name for this IKEv2 Tunnel, we are using "IKEv2_Regular_Roaming_Tunnel"
    2. Select IKEv2 as IKE version
    3. Select all-nets as it's a roaming tunnel
    4. Select all-nets as it's a roaming tunnel
    5. As this is a roaming tunnel we select (none) as remote gateway.

Authentication
Authentication Regular IKEv2_Roaming Tunnel.png
Authentication Regular IKEv2_Roaming Tunnel.png (51.92 KiB) Viewed 1721 times
  • 1. Choose Certificate.
    2. Select the correct Gateway Certificate
    3. Select the correct Root Certificate
    4. Neither Local ID nor Remote ID is required
    5. Neither Remote ID nor Local ID is required
    6. On EAP select first EAP Server and activate the Request EAP ID

IKE (Phase1)
IKE Phase Regular IKEv2_Roaming Tunnel.png
IKE Phase Regular IKEv2_Roaming Tunnel.png (30.55 KiB) Viewed 1721 times
  • 1. Select the Diffie-Hellman Group, we are using group 14 as this is the highest group that iOS sends
    2. We select the Algorithms that we made before (AES-SHA1-512)
NOTE: The reset of the settings in this Phase can be left to its default settings.


IPsec (Phase 2)
IPsec Phase Regular IKEv2_Roaming Tunnel.png
IPsec Phase Regular IKEv2_Roaming Tunnel.png (44.74 KiB) Viewed 1721 times
  • 1. We leave the Perfect Forward Secrecy(PFS) to it's default settings
    2. On Algorithms we select the earlier created AES-SHA1-512
    3. Leave the Setup SA per Network setting.
    4. On Config mode, select Server.
    5. On the Config Mode Pool select the ConfigModePool that we created earlier in this guide.

Virtual Routing
We leave the settings to its default.


Advanced
Add Route Dynamically Regular IKEv2_Roaming Tunnel.png
Add Route Dynamically Regular IKEv2_Roaming Tunnel.png (6.35 KiB) Viewed 1721 times
We remove the default "Add Route Statically" and add the "Add Route Dynamically".


General Userauth
General Userauth Regular IKEv2_Roaming Tunnel.png
General Userauth Regular IKEv2_Roaming Tunnel.png (27.19 KiB) Viewed 1721 times
  • 1. For simplicity we name the Userauth Rule something that easily can be separated from other Userauth Rules.
    2. Select EAP
    3. As our authentication will be handled by a RADIUS server, we select RADIUS as our Authentication Source
    4. Select the IKEv2_Regular_Roaming_Tunnel

Authentication Options
Radius Userauth IKEv2_Roaming Tunnel.png
Radius Userauth IKEv2_Roaming Tunnel.png (16.74 KiB) Viewed 1721 times
  • 1. Select the RADIUS server Object that we have created earlier.
NOTE: All other settings we are leaving to its default.


IP Policies for both the Simplified and the Regular IKEv2_Roaming Tunnel.
IP Policies Regular IKEv2_Roaming Tunnels.png
IP Policies Regular IKEv2_Roaming Tunnels.png (14.7 KiB) Viewed 1721 times
We are using the Regular IKEv2_Roaming tunnel as an example, if you create the Simplified simply change the Source interface of the Policies.


NOTE: The certificate needs to be pre-installed on the iOS!


Configuring the iOS.
iOS IKEv2 Tunnel Settings.png
iOS IKEv2 Tunnel Settings.png (39.68 KiB) Viewed 1721 times
Now onwards to the last settings that needs to be configured.
  • 1. Start by selecting IKEv2 as Type of tunnel
    2. We name it IKEv2
    3. Specify one of the interface IPs of the NGFW, for example the Lan or Wan IP of the Firewall, we are in this guide using our Lan IP as server.
    4. This setting is really important, we need to specify the Common Name (CN) of the certificate as Remote ID, in our case this is Ovik.
    5. Select a User with the right privileges and is added in the RADIUS Server.
    6. Enter the password for that user

Post Reply