Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1082
Views
0
Helpful
2
Replies

RV260 support any IPSec VPN that works with Windows embedded client?

00uqd6s0y49TRsCoY5d6
Level 1
Level 1

‎05-12-2021 06:25 PM

So I have several RV260 that work perfectly with OpenVPN but id like to get client to site IPSec setup as an alternative. However nothing ive done seems to work with the Windows built in client. IKEv1 profiles result in logs stating that no IKE has been chosen and IKEv2 results in a credential failure. Furthermore ive noticed that in User Groups I can enable/disable OpenVPN and PPTP, but I cannot select any C2S VPN option, the + sign is always disabled.

Labels:
0 Helpful
2 Replies 2

nagrajk1969
Spotlight
Spotlight

‎05-15-2021 12:47 PM

Hi

If you are really interested in configuring for IPsec clients on RV260(and RV160, RV340/345/etc), then i suggest you do the below:

 

Note: As i have also mentioned later,

1. Windows DOES NOT HAVE A NATIVE PURE IPSEC-CLIENT FOR IKEV1...it DOES HAVE A NATIVE BUILT-IN PURE IPSEC CLIENT USING IKEV2 ONLY

- The other built-in clients are L2TP-with-IPsec (which uses IKEv1 only) and PPTP.

 

2. For using Windows-IKEv2-IPsec client, you will need to have certficates (with certain caveats as demanded by Windows-client) for the VPN-server, and Radius-server in lan-side of RV-routers to authenticate for EAP-auth which is what is used in IKEv2.

3. Xauth authentication is supported ONLY in IKEv1

 

4. In MacOS & iOS (and IPad-iOS), the ikev1 client is a Cisco-EzVPN-client (and therefore will work with only RV340/345), and

- there is a L2TP-wIPsec-IKEv1 client i think, iam not sure about this.

- and there is just like in windows, support for IKEv2-ipsec clients, which either use Certificate or EAP-auth becos its IKEv2

- Here too the MacOS/iOS have many caveats and among them the vpn-server requires a certificate to authenticate itself, and the certificates have to be with certain settings

 

5. And just FYI, the RV260 has support for creating CA and signing certificates (for ipsec clients, etc) and these certificates support all the requirements of both Windows and MacOS/iOS clients...so you will need only the Radius-server (say FreeRadius/etc) for deploying IKEv2-IPsec clients...but its quite a onetime effort for someone who does not have the prior experience in this area

 

So, First please start with deploying for IKEv1-base ipsec clients (Shrewsoft, Greenbow, Android-phones). Please refer to below steps for configuring the IKEv1-IPsec vpn server (for all IKEv1 clients) on the RV-routers (its the same config for all RV160/260/340/345/etc)

 

Please refer to the attached screenshots for sample config settings...change as per your deployment and choice

 

Step-1: Got to User-Groups under system-mgmnt, and create a local-group say for example testgroup1

Step-2: Next in User-Accounts under system-mngt, create the user-accounts for each of the clients you will connect and add them into the - testgroup1

 

Step-3: Next go to Ipsec-Profiles and create the ipsec-algorithm proposal you will configure for the server and clients to use, ensure that for Android-clients, do not enable Perfect-Forward-Secrecy (PFS) in Phase-2 settings....lets say you have named this profile Aes128Sha1Grp2_Aes128Sha1

 

Step-3: In the VPN, go to Clients-to-Site section and add a server profile for ALL IKEv1-clients (Android, Greenbow, Shrewsoft)

- follow the configs as shown in the attached screenshots in sequence

 

Step-4: For this case with Android clients, refer to the screenshot for the IPsec-IKEv1 tunnel config on Android-phone using PSK-Xauth

- Here the ipaddress is the wan-ipadress of the RV-router. This ipaddress will also used by the server for its identifier (local-identifier in the server config)

- the next identifier value is the Android-client's, so enter client.local.net, which was also mentioned in the server config in the remote-id field.

-although not shown in the screenshot of the android-phone, next below will be place for giving the user-name and password that this client will use to authenticate (xauth-authentication) to the vpn-server on RVrouter

 


Note: The same server config will serve for Shrewsoft/Greenbow clients...in which they have to configure local-id-fqdn/client.local.net and remote-id-ipaddress/1.2.3.4....other settings are client-specific, but the values for algorithm, psk, username/password (xauth) will remain the same

 

Note: The windows has built-in clients for PPTP-client (with MPPE-128), L2TP-with-IPsec & IKEv2-IPsec-Client...there is NO support for IKEv1-IPSec-Client

- Configuring for IKEv2-IPsec-Client using Window-IKEv2-clients will be a little complex execise becos Windows-IKEv2 supports EAP-auth and this requires the mandatory use of a Radius-Server behind RV-routers for offloading the EAP-auth...so its not that simple...AND even for only EAP-Mschapv2 with username-passwords, Windows-IKEv2-clients will still require the IKEV2-VPN-server to have a Certificate-based authentication..and some conditions imposed by Windows/MacOS IKEv2-clients..

- so for now just use the IKEv1 clients.

 

 

 

Preview file
81 KB
Preview file
80 KB
Preview file
88 KB
Preview file
87 KB
Preview file
130 KB
Preview file
98 KB
0 Helpful

00uqd6s0y49TRsCoY5d6
Level 1
Level 1
In response to nagrajk1969

‎05-15-2021 03:50 PM

Thank you for the detailed response!

0 Helpful
Customers Also Viewed These Support Documents