IKEv2 roaming VPN in cOS Core without client certificate installation
Last modified on 14 Mar, 2023. Revision 9| Up to date for | cOS Core 14.00.09 |
| Supported since | cOs Core 13.00.xx |
| Status | OK |
| Author | Peter Nilsson |
Question
We want to use a IKEv2 client, for example in MS Windows, to connect to a NetWall firewall, but we do not want to install a certificate on all our clients. Is there a way to do this?
Answer
The answer is yes. Using PSK (pre-shared key) for the IKEv2 tunnel in Windows is not possible as the inbuilt client only supports certificates. However, if we use a certificate in the firewall that is already trusted by the client, there is no need to install a new certificate on the client.
An example would be to use a certificate that is signed by an certificate authority (CA) that is already trusted by the client (e.g. VeriSign, GeoTrust, Go Daddy, LetsEncrypt etc). This is similar to the certificate used by many HTTPS web servers on the Internet. By using such a certificate in the firewall, it will be, by default, trusted by the client and there would be no need to install a client certificate and only a username/password would be needed by the client in order to connect to the firewall.
Please note however that the certificate property used in the firewall still needs to contain the correct DNS entry for the VPN server in order for the client to be able to connect. The DNS entry must also be able to be resolved by the client to the IP of the firewall.
Note: Depending on the CA used, we may need up to 3 certificates in the firewall for this to work (Root, Intermediate (if used) and Gateway certificate).
More information about IKEv2 tunnel setup can be found in the admin guide and/or the following KB articles:
https://kb.clavister.com/324736225/roaming-ikev2-tunnel-setup-in-cos-core-with-xca-ca-and-freeradius
https://kb.clavister.com/324736172/roaming-windows-ikev2-setup-with-netwall-as-ca-server
The following should also be noted:
- We assume that no existing trusted certificate authority has been changed/removed on the client machine.
- At the time of writing (March 2023), Clavister has tested this with ZeroSSL and LetsEncrypt. However, as long as the client machine has the CA in its trusted list (and the certificate can be used by IPsec) it should function as expected. Note that you must also have the correct DNS entry as described above.
- In a future version of cOS Core (the exact version cannot yet be stated at the time of writing March, 2023) there will be support added to cOS Core to automatically renew certificates using ACME (for example, using Let's Encrypt). This eliminates the need for the administrator to manually renew a public certificate on the firewall (the internal Clavister reference for this feature is COP-20924).
Related articles
11 Jan, 2023 ipsec core vpn
10 Mar, 2023 core vpn ikev2 windows radius certificate
21 Mar, 2023 core ipsec ippool dhcp
23 Aug, 2022 core certificate oneconnect ipsec vpn
2 Feb, 2021 core sslvpn macos certificate
23 Nov, 2022 core ipsec
21 Feb, 2023 ipsec certificate windows ca core
22 Mar, 2021 core ipsec routing
17 Jun, 2021 core ipsec routing
8 Mar, 2023 core l2tp ipsec
20 Feb, 2023 core vpn ipsec
14 Apr, 2021 core license ipsec
8 Sep, 2020 core ipsec rules access
27 Jan, 2023 ipsec core windows vpn l2tp
1 Dec, 2022 ipsec core
16 Sep, 2020 vpn ipsec ikev2 windows howto dh
7 Dec, 2022 ipsec ike troubleshoot core
14 Dec, 2022 core ipsec
23 Aug, 2022 core ipsec license memory
14 Sep, 2022 oneconnect certificate howto
15 Mar, 2023 core ipsec ipv6
2 Dec, 2022 netwall ikev2 windows certificate vpn core
23 Aug, 2022 core connections ipsec memory
13 Feb, 2023 ipsec core routing failover
2 Dec, 2022 dhcp ipsec core