IKEv2 conf: Win 7/10 native client, EAP-TLS/Mutual-RSA + multiple mobile entries



  • I have spent considerable time on trying to get to work multiple mobile phase 1 entries with IKEv2 on pfSense and perhaps my findings can help other people who are struggling with this:

    Goals and approach

    • VPN access without the need to install software on the client:

      • tested and working on Win7 and Win10, OS X not tested yet
    • manage VPN mobile access for different domains and user groups through one pfSense firewall, using multiple mobile phase 1 entries:

      • each domain and user group combination has its own mobile client phase 1

      • access to the local network is managed through phase 2 entries

    • minimal configuration

      • tried to leave out unnecessary configuration steps
    • selective routing: do not route internet traffic / client local traffic through VPN

    Result

    • it works; however, pfSense has to be tricked into accepting multiple mobile client configurations and there may be a good reason for the lack of multiple mobile phase 1 entries support

    • mutual PSK authentication only; EAP-MSChapv2 and EAP-TLS do not work with multiple mobile phase 1 entries because client specific data is not sent during IKEv2 phase

    • although I'm using this approach in a production environment, OpenVPN (my previous solution) is probably the safer way to go - use the following configuration at your own risk …

    pfSense 2.3.2-RELEASE-p1 configuration
    (I'm including the EAP-MSChapv2 and EAP-TLS configurations as well because they worked except for the multiple mobile phase 1 requirement)

    | |                                         | **EAP-MSChapv2       ** | **EAP-TLS                   ** | **Mutual-RSA               ** | |
    | | Server Certificate CN | vpn.domain.ch | vpn.domain.ch | vpn.domain.ch | *no extended key usage field needed |
    | | User Certificate store | Current User | Current User | Local Computer | *on Windows |
    | | User Certificate CN | group.domain.ch | group.domain.ch | group.domain.ch | *created different certificates for each user group / phase 1
    *created unique certificate passwords for each user (using openSSL) to make certificates "unique" |
    | | User Certificate FQDN | | group.domain.ch | | *only needed for EAP-TLS authentication |
    | | My Identifier | My IP Address | My IP Address | My IP Address | |
    | | Peer Identifier | any | any | ASN.1 dist. name | *match user cert, e.g. "C=CH, ST=Zurich, L=Zurich, O=org, E=group@domain.ch, CN=group.domain.ch" |
    | | Phase 1 selection | first mobile phase 1 | first mobile phase 1 | matching peer identifier | *multiple phase 1 entries are only supported with mutual PSK |
    | | Phase 1 Hash | SHA256 | SHA256 | SHA256 | *other configurations not tested |

    *** add additional mobile phase 1 entries:  https://pfsense.domain.ch/vpn_ipsec_phase1.php?mobile=true

    | | **Phase 2 Encryption             ** | AES256 | *other configurations not tested |
    | | Phase 2 Subnets | minimum: include address of DNS server on LAN | *pfSense checks overlapping subnets, can be tricked to some extent by mixing named interfaces and ip networks |
    | | Phase 2 Hash | SHA1 | *SHA256 not supported |
    | |
    | | **Virtual address pool ** | 10.0.0.1/24              | *should be subset of existing interface; avoid overlap with DHCP and client LAN |
    | | Provide list of networks | | *ignored by Windows client |
    | | DNS Server | 10.0.0.1 | *see phase 2 subnets |
    | | Configure Unique IDs | NO | *enable concurrent users |

    *** Use DNS resolver instead of DNS forwarder: was not able to get it to work with DNS forwarder

    Windows 7 configuration

    • the "Use default gateway on remote network" option in the Advanced TCP/IP settings of the VPN connection has to be disabled

    • For each phase 2 entry admin console: "route add -p xxx.xxx.xxx.xxx mask 255.255.255.0 0.0.0.0 if XXX"

    • Correct if XXX can be found with "route print"

    Windows 10 (after anniversary update) configuration

    • For each phase 2 entry use Power Shell: "Add-VpnConnectionRoute -ConnectionName "group.domain.ch" -DestinationPrefix 10.0.0.0/24 -PassThru"

    OS X configuration tbd



  • FYI the powershell for windows 10 adds it to the pkb (phone book) file for the vpn not to the computer itself so once you add it you can deploy the pbk out with group policy if you wish.