IKEv2 roaming VPN in cOS Core without client certificate installation

Last modified on 14 Mar, 2023. Revision 9
This short Q&A discusses the concept of how to setup an IKEv2 roaming tunnel in cOS Core without the need to install a certificate on clients.
Up to date for
cOS Core 14.00.09
Supported since
cOs Core 13.00.xx
Status OK
Author
Peter Nilsson

Question

We want to use a IKEv2 client, for example in MS Windows, to connect to a NetWall firewall, but we do not want to install a certificate on all our clients. Is there a way to do this?

Answer

The answer is yes. Using PSK (pre-shared key) for the IKEv2 tunnel in Windows is not possible as the inbuilt client only supports certificates. However, if we use a certificate in the firewall that is already trusted by the client, there is no need to install a new certificate on the client.

An example would be to use a certificate that is signed by an certificate authority (CA) that is already trusted by the client (e.g. VeriSign, GeoTrust, Go Daddy, LetsEncrypt etc). This is similar to the certificate used by many HTTPS web servers on the Internet. By using such a certificate in the firewall, it will be, by default, trusted by the client and there would be no need to install a client certificate and only a username/password would be needed by the client in order to connect to the firewall.

Please note however that the certificate property used in the firewall still needs to contain the correct DNS entry for the VPN server in order for the client to be able to connect. The DNS entry must also be able to be resolved by the client to the IP of the firewall.

Note: Depending on the CA used, we may need up to 3 certificates in the firewall for this to work (Root, Intermediate (if used) and Gateway certificate).

More information about IKEv2 tunnel setup can be found in the admin guide and/or the following KB articles:

https://kb.clavister.com/324736225/roaming-ikev2-tunnel-setup-in-cos-core-with-xca-ca-and-freeradius 
https://kb.clavister.com/324736172/roaming-windows-ikev2-setup-with-netwall-as-ca-server

The following should also be noted:

  • We assume that no existing trusted certificate authority has been changed/removed on the client machine.
  • At the time of writing (March 2023), Clavister has tested this with ZeroSSL and LetsEncrypt. However, as long as the client machine has the CA in its trusted list (and the certificate can be used by IPsec) it should function as expected. Note that you must also have the correct DNS entry as described above.
  • In a future version of cOS Core (the exact version cannot yet be stated at the time of writing March, 2023) there will be support added to cOS Core to automatically renew certificates using ACME (for example, using Let's Encrypt). This eliminates the need for the administrator to manually renew a public certificate on the firewall (the internal Clavister reference for this feature is COP-20924).



Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Roaming IKEv2 tunnel setup in cOS Core with XCA CA and FreeRADIUS
10 Mar, 2023 core vpn ikev2 windows radius certificate
Setup of a Layer-3 bridge over IPsec in cOS Core
12 Apr, 2023 core proxyarp arp ipsec routing
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
cOS Core L2TP server setup with Windows Server CA certificates
21 Feb, 2023 ipsec certificate windows ca core
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
Setting up OSPF with IPsec in cOS Core
21 Dec, 2023 core routing ospf ipsec
cOS Core IPsec IKEv1 "No_Proposal_Chosen" error in 14.00.10
4 Aug, 2023 core ipsec troubleshoot ike
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Automation of Lets Encrypt certificate updates
23 Jan, 2024 core howto certificate management letsencrypt
Split tunneling in cOS Core with Windows L2TP/IPsec clients
29 Mar, 2023 ipsec core windows vpn l2tp
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
cOS Core IKEv2 tunnel setup with certificates for iOS clients
5 Apr, 2023 core nps ipsec radius legacy
Clavister OneConnect server using cOS Core as CA Server
11 May, 2023 oneconnect certificate howto
Roaming Windows IKEv2 setup with NetWall as CA server
2 Dec, 2022 netwall ikev2 windows certificate vpn core
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover