Roaming Windows 10 IKEv2 with NetWall as CA server

Security Gateway Articles and How to's
Post Reply
Siby
Posts: 6
Joined: 03 Sep 2010, 08:16
Location: Clavister HQ - Örnsköldsvik

Roaming Windows 10 IKEv2 with NetWall as CA server

Post by Siby » 25 Mar 2020, 19:15

This how-to applies to:
  • Clavister cOS core 12.x and up
Please note. This article is still work in progress, but the process works. We will update with more explanations soon.

WARNING. Generating certificates is very CPU intensive, generating the below certificates causes an E10 to stall for about 5s.

Topics covered in this how-to:
How to generate CA certificate using NetWall WebUI
How to generate CA signed Gateway certificate using NetWall WebUI
How to set up roaming IKEv2 tunnel using Simplified Roaming IPsec profile
How to load the CA certificate into the correct certificate store in windows 10 using .bat file



How to generate CA certificate using NetWall WebUI
To generate the CA certificate, go to "Objects->Key Ring->Add->Certificate->Generate Certificate->Configure":
GEN_CA_1.png
GEN_CA_1.png (41.99 KiB) Viewed 85 times
Enter data like this and replace subject name with something suitable for your organization:
GEN_CA_2.png
GEN_CA_2.png (18.45 KiB) Viewed 85 times
This should result in a certificate like this, disable CRL checks. Please Download and save the certificate for later, this needs to be loaded to the Windows clients certificate store.
GEN_CA_3.png
GEN_CA_3.png (33.15 KiB) Viewed 85 times


How to generate CA signed Gateway certificate using NetWall WebUI

To generate the CA signed gateway certificate, go to "Objects->Key Ring->Add->Certificate->Generate Certificate->Configure":
GEN_CA_1.png
GEN_CA_1.png (41.99 KiB) Viewed 85 times
Enter data like this and replace subject name with something suitable for your organization, please note the CN and Subject Alternative Name needs to resolve to the public IP of your IKEv2 Server (in other words your NetWall):
Gateway_Certificate_2.png
Gateway_Certificate_2.png (20.64 KiB) Viewed 85 times
This should result in a certificate like this, disable CRL checks:
Gateway_Certificate_3.png
Gateway_Certificate_3.png (39.81 KiB) Viewed 85 times


How to set up roaming IKEv2 tunnel using Simplified Roaming IPsec profile
To set up the IKEv2 server interface. Go to "Network->Interfaces and VPN->VPN AND TUNNELS->IPsec->Add->Roaming VPN (Simplified)":
IPsec_Tunnel.png
IPsec_Tunnel.png (41.84 KiB) Viewed 85 times
Replace the IP pool, DNS and authentication method with what is suitable for your organization.

How to load the CA certificate into the correct certificate store in windows 10 using .bat file

Download certmgr.exe
certmgr.7z
(32.81 KiB) Downloaded 14 times
Copy the CA-CERT.crt file to the client windows 10 workstation. In the same folder, create a .bat file with this content:

Code: Select all

@echo off
cd "%~dp0"
certmgr.exe /c /add CA-CERT.crt /s /r localMachine root
echo "certificate installed, continue by creating a IKEv2 Tunnel"
pause
Run the .bat file as Administrator and then create the IKEv2 tunnel. Only the CA certificate is needed on the client PC.

Post Reply