Solved: How to setup RV30 for IKEV2 VPN with EAP auth only

NLO56933 · ‎09-01-2021

Good morning, Hopefully somebody can help me out. I am setting up an RV340 Client to Site IKEV2 VPN with EAP auth only. I cannot connect with EAP, always getting error .

11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

I did the following:

1. Created a IPSEC profile for IKEV2,

2. Created a Microsoft NPS, Radius Server with EAP MSCHAP v2

Pointed it to the Router

3. In Router When to User Acct -> Remote Auth ->RADIUS

entered the Radius Server name

4. Create a User Group that allows access to Groups in RADIUS

With this I can web login using Users in RADIUS.

However when I used Greenbow VPN CLient with EAP

I get the following error thru the Router Log

11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
11[CFG] no alternative config found
11[IKE] peer requested EAP, config inacceptable

Any idea or documentation to configure this correctly? Thanks

nagrajk1969 · ‎09-01-2021

Hi

1. can you post the screenshots (2 pages - basic and advanced) of the IKEv2 vpn-server client-to-site profile created by you?

2. What is the IKEv2 authentication you want to use for this ikev2 client-to-site vpn server and do you want to also have a username-password base authentication for the remote ikev2-vpn-clients?

3. What is the algorithm-combination that you have configured for the ikev2-profile used in the c2s-vpn-server? (iam asking this for completeness, although you can set the same algorithm settings used in server on the greenbow-client too)

Please note:

1. When you intend to use "username/password" authentication as with EAP-MSCHAPv2, on IKEv2-VPN-Server, then it becomes a MUST that the vpn-server will require a x509-RSA Device Certificate to be configured. The ikev2-vpn-client (in this case the GB-client) need not use/have any client-certificate....The vpn-client will authenticate the server using the server-provided certificate, and on the server-side, the vpn-client will be authenticated via Radius server using EAP-MSchapv2 method and username/password

- this is what is required for both Windows-native-IKEv2-client (using EAP-Mschapv2) and by MacOS/iOS-IKEv2-clients

- so that means that Greenbow will also have to use the same settings on the client

2. In C2S-server for IKEv2 clients, if you select PSK for IKEv2-authentication, then you cannot enable/use Extended-authentication (for username/passwords). In fact on RV160/260, if you select PSK in C2S-for-IKEv2-clients, then in the GUI, the extended-auth selection is grayed out

- the reasoning being that when you select PSK for IKEv2-auth in the built-in IKEv2-IPsec-client on MacOS/iOS/ipad, there is NO CONFIG/SETTINGS FOR USERNAME-PASSWORD(using EAP-methods)...and therefore on RV34X(and in RV160/260) the extended-auth is disabled (on RV340 GUI due to a gui-bug i guess for some reason the extended-auth button is still selectable but it does not have any effect when select)

- psk is not supported by windows-ikev2-native-client

3. And in IKEv2-CS2-server, if you want use Certificates only (and not EAP), then here too the extended-auth(username-password using EAP-method) is to be disabled and cannot be configured.

- This is supported on both windows-ikev2-native client and also on MacOS/iOS/Ipad IKEv2 client...so Greenbow client will need to be configured accordingly

View solution in original post

nagrajk1969 · ‎09-01-2021

Hi

1. can you post the screenshots (2 pages - basic and advanced) of the IKEv2 vpn-server client-to-site profile created by you?

2. What is the IKEv2 authentication you want to use for this ikev2 client-to-site vpn server and do you want to also have a username-password base authentication for the remote ikev2-vpn-clients?

3. What is the algorithm-combination that you have configured for the ikev2-profile used in the c2s-vpn-server? (iam asking this for completeness, although you can set the same algorithm settings used in server on the greenbow-client too)

Please note:

1. When you intend to use "username/password" authentication as with EAP-MSCHAPv2, on IKEv2-VPN-Server, then it becomes a MUST that the vpn-server will require a x509-RSA Device Certificate to be configured. The ikev2-vpn-client (in this case the GB-client) need not use/have any client-certificate....The vpn-client will authenticate the server using the server-provided certificate, and on the server-side, the vpn-client will be authenticated via Radius server using EAP-MSchapv2 method and username/password

- this is what is required for both Windows-native-IKEv2-client (using EAP-Mschapv2) and by MacOS/iOS-IKEv2-clients

- so that means that Greenbow will also have to use the same settings on the client

2. In C2S-server for IKEv2 clients, if you select PSK for IKEv2-authentication, then you cannot enable/use Extended-authentication (for username/passwords). In fact on RV160/260, if you select PSK in C2S-for-IKEv2-clients, then in the GUI, the extended-auth selection is grayed out

- the reasoning being that when you select PSK for IKEv2-auth in the built-in IKEv2-IPsec-client on MacOS/iOS/ipad, there is NO CONFIG/SETTINGS FOR USERNAME-PASSWORD(using EAP-methods)...and therefore on RV34X(and in RV160/260) the extended-auth is disabled (on RV340 GUI due to a gui-bug i guess for some reason the extended-auth button is still selectable but it does not have any effect when select)

- psk is not supported by windows-ikev2-native-client

3. And in IKEv2-CS2-server, if you want use Certificates only (and not EAP), then here too the extended-auth(username-password using EAP-method) is to be disabled and cannot be configured.

- This is supported on both windows-ikev2-native client and also on MacOS/iOS/Ipad IKEv2 client...so Greenbow client will need to be configured accordingly

NLO56933 · ‎09-01-2021

nagrajk,

That is very help info, I am able to make the PSK work, so to summarize if I understand correctly

IKEV2 can work via PSK or

iKEV2 can work with EAP , if we have multi auth with EAP (Radius) and a X509 RSA certificate. or

IKEV2 with Certificate only

Thanks for all the help.

nagrajk1969 · ‎09-01-2021

Hi

As a start, you can configure using the below mentioned procedures using PSK. And you will not require the use of Radius/EAP and username-password for establishing the IKEv2-c2s tunnels from both Greenbow and/or MacOS/iOS IKEv2 clients

----------------------------------------------------------------------------
RV260/RV34X C2S IKEv2 VPN Server for MacOS-iOS & Greenbow IKEv2 Clients using PSK-auth only
---------------------------------------------------------------------------

- Configure the C2S server on RV34X/RV260 as below:

Step-1: In the Ipsec-Profiles, configure the below ipsec-algo-profile used by Mac-iOS clients and Greenbow-clients too

Name: Ikve2_MaciOS_GB_ClientsProfile
Version: IKEv2
Phase-1: AES128-SHA1-GROUP2; Lifetime: 28800sec
Phase-2: ESP; AES256-SHA256; pfs=no; lifetime:3600sec

- apply and do a permanent save too

Step-2: In Basic Settings tab

- add and configure a C2S vpn server as below:

Enable: Yes/Checked
Tunnel Name: Ikev2_MaciOS_GBClients_wPSKonly
Ipsec Profile: Ikve2_MaciOS_GB_ClientsProfile
Interface: WAN1

IKE Authentication Method
Pre-shared Key: Test$123456789

Local Identifier:
- select FQDN
- enter this server fqdn/dns-name: rv34x.servergw.local

Remote Identifier:
- select FQDN
- enter * (star/asterix) as the wildcard value here.

- Note: This wildcard */asterix-star is required, to support multiple mac-ios/GB clients to connect to this vpn-server using psk-auth

Extended Authentication: DISABLE/UNCHECKED

- Note: DO NOT ENABLE/SELECT EXTENDED AUTHENTICATION

Pool Range for client lan:

Start ip: 10.30.1.100
End ip: 10.30.1.150

Step-3: In the Advanced settings tab

Remote Endpoint : Dynamic IP

- It should be Dynamic IP only as multiple clients will be connecting to this server

Local Group Setup
Local IP Type: ANY

Mode Configuration

dns/wins/default-domain/etc: to be configured as per the user requirements

Step-4: Click on Apply and do a permanent save too

##################################################################

----------------------------
On MacOS/iOS/IPad Clients
-----------------------

For IKEv2 tunnel with PSK only:

1. On the desktop of Mac-client..click on the wifi-icon...and Go to “Open Network Preferences”

2. Click on + to create a new service..

- select the VPN interface
- IKEv2 as VPN type, and
- give a name “ClientV2_wPSK”

3.In page that is displayed, click first on “Authentication Settings”

- Select “None” only, and do not select certificate (or Use-Certificate)

- For PSK-based IKEv2-auth, Select the “Secret” and enter the Pre-Shared-Key e.g: Test$123456789

4. Now we are back to main config page

a) Enter the "Server Address" as dns-name of the RV34X/RV260 Router's wan-ipaddress - say for e.g "rv34x.servergw.local"
Note: This FQDN/dns-name should-be/MUST-be resolvable by the dns-server configured on the mac-client to the public-ipaddress of the wan-interface of RV34X/RV260

b) For "Remote-ID" enter the value "rv34x.servergw.local" (enter without the quotes)

c) For "Local-ID" keep the value empty, do not edit or enter any value here

5. you are done (and save the config). If the C2S-server on RV34X/RV260 is ready, then you may click on connect on this mac-os/ipad/ios client

------------------------
On GreenBow IKEv2-clients
-------------------------
Among all the configs-settings that are to be applied, the below are the important and core configs that needs to be applied on each of the GB clients

1. In the IKEv2-SA config,
- select PSK and enter the value: Test$123456789
- configure the cryptography/algorithm settings the same as in server above

2. In the Advanved page, configure as below:

Local-ID: <leave this empty or blank>

Note: do not configure any value in the Local-ID - the result would be that the Greenbow client will by default always use its ip-address as Local-Identifier during the IKEv2-auth phase>

Remote-ID: rv34x.servergw.local

-------------------------------------------------------------------

----------------------------------------------------------------