Configuring Roaming IKEv2 tunnel using XCA CA and FreeRadius

Security Gateway Articles and How to's
Post Reply
Posts: 636
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Configuring Roaming IKEv2 tunnel using XCA CA and FreeRadius

Post by Peter » 17 Feb 2016, 19:42

This How-to applies to:
  • Clavister CorePlus 11.01.00 and up.

This guide will provide a reference guide on how to get IKEv2 working using the program called XCA to generate the needed Certificates and to use FreeRadius as the user authentication database with EAP (Enhanced Authentication Protocol) support.

Note: It is possible to use the Local User Database in cOS Core as well which has support for EAP in newer versions (11.xx).

This is primary intended for internal lab environments when testing IKEv2 as we will not use CRL (Certificate Revocation Lists). It will however provide details on how to configure the Clavister and how to import the Certificates into the correct Certificate store when importing the Certificates in Windows.

This same setup can of course be configured using e.g. Windows 2012 CA and Radius server as well.


XCA is a Certificate and key management software made by Christian Hohnstädt ( and can be found on the following webpage:

1. Creating Root Certificate using XCA

When XCA is installed, start the program and create a new Database.
Picture_1.png (35.23 KiB) Viewed 7557 times
Select "New Certificate".
Picture_2_NewCert.png (16.75 KiB) Viewed 7557 times
Select "CA" template and press "Apply All".
Picture_3_Template.png (15.4 KiB) Viewed 7557 times
Enter Distinguished name information and create a 4096 bit RSA key.
Picture_4_CertProperties.png (101.21 KiB) Viewed 7557 times
Select Certificate Authority as Type, uncheck Critical and Subject Key Identifier. Change the time range validity of the certificate depending on your requirements then input the x509v3 Subject Alternative Name.
Picture_5_CertExtensions.png (93 KiB) Viewed 7557 times
Make sure that “Certificate Sign” and “CRL Sign” is selected.
Picture_6_KeyUsage.png (34.22 KiB) Viewed 7556 times
Export the Certificate as a PEM (.crt) file.
Picture_7_ExportRoot.png (73.2 KiB) Viewed 7556 times
2. Creating the Gateway Certificate.
When creating the Gateway Certificate (the certificate that the Clavister uses to authorize itself towards the connecting client) we will use our previous created Root certificate to sign it. Basically all certificate must be signed by the same CA root server certificate in order to have a valid and intact Certificate chain. We also must select "HTTPS_Server" as the template as we act as a server in this scenario, make sure that you press "apply All" to copy all the template properties to our certificate.
Picture_8_Gateway_Cert.png (69.64 KiB) Viewed 7556 times
Enter Distinguished name information and create a 4096 bit RSA key.
Picture_9_Gateway_Cert_Subject.png (107.4 KiB) Viewed 7556 times
Enter a x509v3 Subject Alternative Name using a DNS URL.

IMPORTANT NOTE: This URL must resolve to the IP address that your Clavister Firewall IKEv2 server is configured on. When the client connects, this is the exact DNS name that must be used when configuring which IP/DNS the client should connect to when trying to establish the tunnel. If you for instance type in the IP address directly in the client, it will not work!
Picture_10_Gateway_Cert_Extensions.png (101.08 KiB) Viewed 7556 times
Make sure that all these Key usage options are selected. Basically these determine what the intended use is for this Certificate.
Picture_11_Gateway_Cert_KeyUsage.png (130.8 KiB) Viewed 7556 times
Export the certificate as a PEM (.crt) file.
Picture_12_Gateway_Cert_Export.png (83.43 KiB) Viewed 7556 times
Export this Certificates private key as a “PEM private” (.pem) file as well.
Picture_13_Gateway_Cert_Export_Key.png (44.84 KiB) Viewed 7556 times
3. Creating the Remote User (client) Certificate.

Note-1: For Windows & MAC clients this step is not needed, only the root certificate needs to be imported to the Windows client machines.
Note-2: If the MAC client is configured manually, the Local/Remote ID setting on the client must be configured.

The client Certificate is the certificate that is installed on e.g. a Windows machine that attempts to connect to the Security Gateway. The process is very similar to the Gateway Certificate.

Select the “HTTPS_client” template and press “Apply all”. Make sure to sign it using the “TestCA” certificate.
Picture_14_Client_Cert.png (69.77 KiB) Viewed 7555 times
Enter Distinguished name information and create a 4096 bit RSA key.
Picture_15_Client_Subject.png (103.52 KiB) Viewed 7555 times
Change Type to be End Entity (as it is not part of a Certificate chain), input an X509v3 Subject Alternative Name.
Picture_16_Client_Extensions.png (73.44 KiB) Viewed 7555 times
Export the certificate as a PKCS #12 chain (.p12). Both the Client Certificate and it's private key will be exported in this step, so there is no need to export the private separately as with the gateway Certificate/key.
Picture_17_Client_Export.png (118.47 KiB) Viewed 7555 times
4. Configuring IKEv2 in Clavister cOS Core
The first step we need to perform before we add the IKEv2 tunnel interface itself is to import the CA servers (XCA) Root Certificate along with the Gateway Certificate + it's private key. All Screenshots are based on the WebUI from cOS Core version 11.01.00.

Go to Objects->Key Ring and Add->Certificate. Select the TestCA.crf file we exported from XCA earlier. Also make sure that CRL (Certificate Revocation List) is disabled as we do not have any connection towards the XCA program for CRL checks. If you are using e.g. a Microsoft CA server this will most likely be something you want to enable as it can be very handy to be able to revoke a Certificate from the CA server itself.
Picture_18_ImportRootCert.png (54.53 KiB) Viewed 7555 times
Repeat the process for the Gateway Certificate along with it's private key.
Picture_19_ImportGatewayCert.png (39.83 KiB) Viewed 7555 times
Private and Public key's : More information about the public and private keys can be found on the following webpage: ... cates2.php

Next we need to configure an IKE Config Mode IP pool. This object will contain the IP addresses the Security Gateway will hand out to the connecting clients. Config Mode pool objects are added under Objects->VPN Objects->IKE Config Mode Pool. You can use a pre-defined or static IP pool, we will use Static IP pool in this example.
Picture_20_CreatingCfgModePool.png (45.78 KiB) Viewed 7555 times
Note about the subnets option: Even though there is an option to specify a subnet on the Cfg Mode pool, this sub network option can only be pushed out to clients that support this Cfg Mode option. Windows does unfortunately not support this option so it is not possible to use split-tunneling when using Windows as a client. You can however still achieve "Partial split tunnelling" similar as what is documented in the following forum post, Partial Split tunneling.
Once the Cfg Mode Pool object has been created we now need to create new proposal lists for IKE and IPsec. This is done under Objects->VPN Objects and "IKE Algorithms and IPSec Algorithms. Select AES as Encryption and SHA1 as Integrity algorithm.
Picture_21_CreatingIKEIPsecPropList.png (49.89 KiB) Viewed 7554 times
Repeat the procedure for an IPsec algorithm as well using AES and SHA1.

Creating and configuring the IKEv2 interface
Now we come to configuring the IKEv2 interface itself in cOS Core. This is done under Network->Interfaces and VPN->VPN and tunnels->IPsec. Add a new IPsec interface. Since we are going to use IKEv2 the first thing we need to change is the IKE version, go to the IKE Settings tab and change IKE version from default IKEv1 to IKEv2.
Picture_22_ChangingIKEVersion.png (21.55 KiB) Viewed 7554 times
Back to the general tab we change local and remote network to be all-nets, the remote network can most likely be restricted based on what kind of client that is used. Windows however by default sends "all-nets" as both local and remote network.

The Remote endpoint is all-nets as we do not know where the client(s) are connecting from, we select the IKE Config Mode pool object we created earlier and the same with the IKE and IPSec proposal lists.
Picture_23_GeneralSettings.png (63.16 KiB) Viewed 7554 times
On the IKE Settings tab regarding settings for IKE DH group and PFS DH group we leave all settings to their defaults (except IKE version which we changed earlier).

We now come to the "Authentication" tab, here we select the Gateway Certificate and also add the TestCA Certificate as Root Certificates using the Certificates we imported earlier.

Tip: Make sure that when importing the Certificates that they get tagged as the correct type. A Certificate that has a private key becomes tagged as "local" and a Certificate without a private key (such as the CA root certificate) becomes "Remote". Only a Local type certificate can be chosen as the gateway certificate.

IKEv2 tunnels also requires the use of EAP, simply enable the two checkbox for EAP as shown in the below screenshot.
Picture_24_TunnelAuthenticationTab.png (55.61 KiB) Viewed 7554 times
Lastly we need to go to the Advanced tab and uncheck the checkbox for "Add route Statically" and enable the "Add route Dynamically" option. This is very important! If the static route option is enabled it could cause a routing conflict with the external internet access route causing internet access disruptions when deploying the configuration!
Picture_25_TunnelRoutes.png (3.85 KiB) Viewed 7551 times
Adding the Radius server object in Clavister cOS Core

As we will be authenticating our users towards a Radius server we need to create a Radius server object which we later can use in our User authentication rules. To create the Radius server object we go to Policies->User Authentication->User Directories->Radius and add a new Radius server object.
Picture_26_EAP_Radius.png (37.04 KiB) Viewed 7551 times
We now come to the User Authentication rule, this is configured under Policies->User Authentication->Rules->Authentication Rules. Create a new rule with the properties shown in the screenshot. The interface is the IPsec interface we created earlier.
Picture_27_UserAuthRule.png (43.98 KiB) Viewed 7551 times
And finally, select the Radius server we defined earlier.
Picture_28_UserAuthRule_Options.png (40.47 KiB) Viewed 7551 times
The only thing left to do in cOS Core is to create one or more IP rules/policies to determine what the IKEv2 users should be allowed to access. Since this is very individual we will not go into details about those rules.

5. Installing FreeRadius on Ubuntu

This is a short guide on how to install FreeRadius on Ubuntu, the exact steps may vary depending on version and potential changes that may occur in the future. The bracket # means that its is a CLI command.

1.- Install freeradius:

Code: Select all

# apt-get install freeradius
2.- Edit EAP method:

Code: Select all

# nano /etc/freeradius/eap.conf:
default_eap_type = peap
3.- Adding new users :

Code: Select all

# vi /etc/freeradius/users
tuxuser Cleartext-Password := "P@sswd4Tux"
tuxadmin Cleartext-Password := "P@sswrd4Admin"
4.- Enabling and configuring mschap-v2 protocol:

Code: Select all

# vi /etc/freeradius/modules/mschap
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
5.- Reloading new libraries:

Code: Select all

# ldconfig
6.- Add new radius clients (Access point):

Code: Select all

# vi /etc/freeradius/clients.conf
client {
secret = abc123!
shortname = Clavister-IKEv2-Demo
7.- Restarting service and testing radius authentication:

Code: Select all

# service freeradius restart
# radtest tuxuser P@sswd4Tux 1812 0peN2d0!
6. Importing the Certificates & Configuring the IKEv2 tunnel in Windows 10.

Import a CA certificate for the Computer account by Microsoft Management Console(MMC).

1. Move the cursor to the right corner of your screen and click Search the Web and Windows.
2. Open Microsoft Management Console(MMC) by entering "mmc" into the search box.
3. On the File menu, point to Add/Remove Snap-in, and open the Add or Remove Snap-ins dialog.
4. Click the certificates under Available snap-ins and push Add.
5. Select the Computer account and push Next.
6. Select the Local computer and push Finish.
7. Push OK on Add or Remove Snap-ins dialog and close it.
8. Click the folder Certificates(Local Computer) / Personal / Certificates folder, click the Actionmenu, point to All Tasks, and then click Import.
9. Click Next and follow the instructions.
- An imported PKCS#12 file: remotehost1.p12
10. If a CA's certificate (TestCA) is extracted into Certificates(Local Computer) / Personal / Certificates folder, move it to Certificates(Local Computer) / Trusted Root Certification Authorities / Certificates folder by dragging and dropping the certificate's icon.

Setting up the VPN connection:

Set up a VPN connection.

1. Move the cursor to the right corner of your screen and click Search the Web and Windows.
2. Open Network and sharing center by entering Network and sharing center into the search box and then click Set up a new connection or network.
3. Click Connect to a workplace and push Next.
4. If you are asked "Do you want to use a connection that you already have?", select "No, create a new connection" and then push Next.
5. Click Use my Internet connection (VPN).
6. Click I'll set up an Internet connection later..
7. Enter (Clavister IKEv2 Server hostname) into Internet Address and Example VPN into Destination name and push Create.
8. Open Network and sharing center again and click Change adapter settings.
9. Open the properties dialog of Example VPN adapter and show Security tab.
10. Enter the following:
- Type of VPN: IKEv2
- Data encryption: Require encryption (disconnect if server declines)
- Authentication: Use Extensible Authentication Protocol(EAP) and EAP-MSCHAPv2
11. Push OK.

- Edit the hosts file if DNS service is not available for

1. Open "C:Windows/System32/drivers/etc/hosts" by notepad as an administrator. If you can't find these folders, please see Show hidden files.
2. Add the following line into this hosts file.

Code: Select all   # (Example VPN) 
3. Save and close the file.

Troubleshooting tips:

If you experience problems here are a few troubleshooting tips:

1. Make sure that the DNS or IP address you are attempting to connect to using the client is what is defined in the gateway certificate. If you for instance type in IP instead of what is defined in the certificate (in our example the connection attempt will fail.
2. Here is a Microsoft article that gives some IKEv2 troubleshooting tips: Troubleshooting IKEv2

Post Reply