Virtual Smart Card authentication for IPsec VPN
-
Hello
I consider to use virtual smart card (VSC) as passwordless authentication method in our Windows machines. It works well, but of course I would also like to rid of passwords in VPN (IPsec running on PFsense authenticated by AD passwords via Radius). Certificate with private key is stored on VSC (protected by TPM chip). All certificates and keys are provided by Active Directory Certificate Services. If I try connect my VPN through VSC, I am asked for PIN and then I get an error "IKE authentication credentials are unaceptable". Any idea what can be wrong?
We use PFsense 2.4.3
I took Windows CA root certificate and imported it to the PFsense as new Certificate authority.
I took client certificate with private key and upload it to the PFsense as certificate.This is settings of my IPsec
P1
IKEv2
IPv4
WAN
Auth. method: EAP-TLS
My identifier: Distinguished name = my.router.net
Peer identifier: Any
My Certificate: windows certificate together with private key previously imported to cert. manager
Peer Certificate Authority: Windows root certificate previsouly imported to cert. manager.
Enc. algoritmus: AES, 256bits, SHA256, 14(2048 bit)
Lifetime: 28800
Responder only: yes
MOBIKE: Enable
Dead Peer detection: enabled
Delay: 10
Max failures: 5P2
Mode: Tunnel IPv4
Local Network: Network = 100.100.22.0/24
NAT/BINAT translation: none
Protocol: ESP
Enc. algorithmus: AES
Hash algorithmus: SHA256
Lifetime 3600Mobile Clients
Enable IPsec mobile client support: yes
User authentication: Local Database
Virtual Addressed Pool: 10.5.55.0/24
Network list: yes
DnS default domain: yes
company.local
DNS Servers: 100.100.22.10VPN Client configuration in Win10
Name: company
Server name or address: my.router.net
VPN type: IKEv2
Type of sign-in info: Smart cardI also run powershell script to set up VPN client this way:
Set-VpnConnectionIPsecConfiguration -ConnectionName "company" -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048 -PassThru -Forceset-vpnconnection company -splittunneling $True
Add-VpnConnectionRoute -ConnectionName "company" -DestinationPrefix 100.100.22.0/24 -PassThru