Question
We want to use a IKEv2 client, for example in MS Windows, to connect to a NetWall firewall, but we do not want to install a certificate on all our clients. Is there a way to do this?
Answer
The answer is yes. Using PSK (pre-shared key) for the IKEv2 tunnel in Windows is not possible as the inbuilt client only supports certificates. However, if we use a certificate in the firewall that is already trusted by the client, there is no need to install a new certificate on the client.
An example would be to use a certificate that is signed by an certificate authority (CA) that is already trusted by the client (e.g. VeriSign, GeoTrust, Go Daddy, LetsEncrypt etc). This is similar to the certificate used by many HTTPS web servers on the Internet. By using such a certificate in the firewall, it will be, by default, trusted by the client and there would be no need to install a client certificate and only a username/password would be needed by the client in order to connect to the firewall.
Please note however that the certificate property used in the firewall still needs to contain the correct DNS entry for the VPN server in order for the client to be able to connect. The DNS entry must also be able to be resolved by the client to the IP of the firewall.
Note: Depending on the CA used, we may need up to 3 certificates in the firewall for this to work (Root, Intermediate (if used) and Gateway certificate).
More information about IKEv2 tunnel setup can be found in the admin guide and/or the following KB articles:
https://kb.clavister.com/324736225/roaming-ikev2-tunnel-setup-in-cos-core-with-xca-ca-and-freeradius
https://kb.clavister.com/324736172/roaming-windows-ikev2-setup-with-netwall-as-ca-server
The following should also be noted:
- We assume that no existing trusted certificate authority has been changed/removed on the client machine.
- At the time of writing (March 2023), Clavister has tested this with ZeroSSL and LetsEncrypt. However, as long as the client machine has the CA in its trusted list (and the certificate can be used by IPsec) it should function as expected. Note that you must also have the correct DNS entry as described above.
- In a future version of cOS Core (the exact version cannot yet be stated at the time of writing March, 2023) there will be support added to cOS Core to automatically renew certificates using ACME (for example, using Let's Encrypt). This eliminates the need for the administrator to manually renew a public certificate on the firewall (the internal Clavister reference for this feature is COP-20924).
Related articles
11 Jan, 2023 ipsec core vpn
10 Mar, 2023 core vpn ikev2 windows radius certificate
24 Mar, 2023 core ipsec ippool dhcp
12 Apr, 2023 core proxyarp arp ipsec routing
23 Aug, 2022 core certificate oneconnect ipsec vpn
2 Feb, 2021 core sslvpn macos certificate
23 Nov, 2022 core ipsec
21 Feb, 2023 ipsec certificate windows ca core
22 Mar, 2021 core ipsec routing
13 Apr, 2023 core routing ospf ipsec
17 Jun, 2021 core ipsec routing
8 Mar, 2023 core l2tp ipsec
20 Feb, 2023 core vpn ipsec
4 Aug, 2023 core ipsec troubleshoot ike
14 Apr, 2021 core license ipsec
8 Sep, 2020 core ipsec rules access
29 Mar, 2023 ipsec core windows vpn l2tp
5 Apr, 2023 ipsec core
16 Sep, 2020 vpn ipsec ikev2 windows howto dh
7 Dec, 2022 ipsec ike troubleshoot core
14 Dec, 2022 core ipsec
5 Apr, 2023 core nps ipsec radius legacy
23 Aug, 2022 core ipsec license memory
11 May, 2023 oneconnect certificate howto
15 Mar, 2023 core ipsec ipv6
2 Dec, 2022 netwall ikev2 windows certificate vpn core
23 Aug, 2022 core connections ipsec memory
13 Feb, 2023 ipsec core routing failover
28 Mar, 2023 dhcp ipsec core