Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual Smart Card authentication for IPsec VPN

    IPsec
    1
    1
    664
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aldomoro
      last edited by

      Hello

      I consider to use virtual smart card (VSC) as passwordless authentication method in our Windows machines. It works well, but of course I would also like to rid of passwords in VPN (IPsec running on PFsense authenticated by AD passwords via Radius). Certificate with private key is stored on VSC (protected by TPM chip). All certificates and keys are provided by Active Directory Certificate Services. If I try connect my VPN through VSC, I am asked for PIN and then I get an error "IKE authentication credentials are unaceptable". Any idea what can be wrong?

      We use PFsense 2.4.3

      I took Windows CA root certificate and imported it to the PFsense as new Certificate authority.
      I took client certificate with private key and upload it to the PFsense as certificate.

      This is settings of my IPsec
      P1
      IKEv2
      IPv4
      WAN
      Auth. method: EAP-TLS
      My identifier: Distinguished name = my.router.net
      Peer identifier: Any
      My Certificate: windows certificate together with private key previously imported to cert. manager
      Peer Certificate Authority: Windows root certificate previsouly imported to cert. manager.
      Enc. algoritmus: AES, 256bits, SHA256, 14(2048 bit)
      Lifetime: 28800
      Responder only: yes
      MOBIKE: Enable
      Dead Peer detection: enabled
      Delay: 10
      Max failures: 5

      P2
      Mode: Tunnel IPv4
      Local Network: Network = 100.100.22.0/24
      NAT/BINAT translation: none
      Protocol: ESP
      Enc. algorithmus: AES
      Hash algorithmus: SHA256
      Lifetime 3600

      Mobile Clients
      Enable IPsec mobile client support: yes
      User authentication: Local Database
      Virtual Addressed Pool: 10.5.55.0/24
      Network list: yes
      DnS default domain: yes
      company.local
      DNS Servers: 100.100.22.10

      VPN Client configuration in Win10
      Name: company
      Server name or address: my.router.net
      VPN type: IKEv2
      Type of sign-in info: Smart card

      I also run powershell script to set up VPN client this way:
      Set-VpnConnectionIPsecConfiguration -ConnectionName "company" -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048 -PassThru -Force

      set-vpnconnection company -splittunneling $True

      Add-VpnConnectionRoute -ConnectionName "company" -DestinationPrefix 100.100.22.0/24 -PassThru

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.