------------------------------------------------------------------------------------------------------------------- RV260/RV34X C2S IKEv2 VPN Server for Greenbow_MaciOS_Clients using Certificates ------------------------------------------------------------------------------------------------------------------- - Configure the C2S server on RV34X/RV260 as below: Note: For this ikev2 vpn-server you will NOT need a Radius-server in the lan-nw of the router Step-1: In the Ipsec-Profiles, configure the below ipsec-algo-profile used by the specified clients Name: Ikve2_GBMacOSiOSClients_Profile Version: IKEv2 Phase-1: AES128-SHA1-GROUP2; Lifetime: 28800sec Phase-2: ESP; AES256-SHA256; pfs=no; lifetime:3600sec - apply and do a permanent save too Step-2: In Basic Settings tab - add and configure a C2S vpn server as below: Enable: Yes/Checked Tunnel Name: Ikev2_GBMaciOSClients_wEAP Interface: WAN1 IKE Authentication Method Certificate: Local Certificate: - select the server device certificate Remote CA Certificate: - select the ROOT-CA certificate "xxx_CA" from the list, the same CA-cert that has signed the server-certificate Local Identifier: - select FQDN - enter the value in the subject-Alt-Name field in the server-certificate, such as for example: rv34x.dyndns.org Remote Identifier: - select User-FQDN - and enter a value: *@example.com - the */asterix is used as a wildcard character that would match any value in that position sent from client Extended Authentication: ENABLED - Select the user-groups that are also configured on the Radius-Server for user-authentication using EAP Pool Range for client lan: Start ip: 10.31.1.100 End ip: 10.31.1.150 Step-3: In the Advanced settings tab Ipsec Profile: Ikve2_GBMacOSiOSClients_Profile Remote Endpoint : Dynamic IP - It should be Dynamic IP only as multiple clients will be connecting to this server Local Group Setup Local IP Type: ANY Mode Configuration dns/wins/default-domain/etc: to be configured as per the user requirements Step-4: Click on Apply and do a permanent save too ################################################################## On Greenbow & MacOS/iOS clients among other configurations, the below settings has to be configured: 1. Mandatorily, import in the greenbow/other clients, and install only the ROOT-CA Certificate that has signed the server-certificate 2. Also install the client-certificates, and note down the subject-altname field value from this client-certificate 3. Set the values for the below items in the greenbow/macOS ikev2 clients config: Local Identifier: clientX@example.com - this "clientX" will be "client1" for first client1, client2 for client2, client3 for client3, and so on Remote Identifier: rv34xgw.dyndns.org OR rv34x.example.com or - this is the same value that you have configured as Local-ID on the vpn-server