How to use our IPSec RSA (IKEv2)
Posted by Max Biggavelli on 25 September 2014 00:35


Benefits of IKEv2:

[+] IKEv2 is light on bandwidth and faster

[+] IKEv2 is more compatible and portable in many aspects

[+] IKEv2 provides inbuilt NAT Traversal

[+] IKEv2 has inbuilt tunnel liveness checks, if tunnel is broken down on peer, it has facility to detect and re-establish the tunnel

[+] IKEv2 provides comprehensive authentication capabilities. It provides EAP authentication and hence it is suitable to integrate with existing authentication systems in Enterprises

[+] All versions of Windows since 2000/XP and Mac OSX 10.3+ have built in support for IKEv2 (yes, even Windows 10)

[+] Fast speed even while traffic still being encrypted (latest tests show slightly/notably better speed results compared to OpenVPN UDP and even more so over TCP!)

[+] Supports Portforwarding

[+] IPsec is a known secure standard and has shown no known critical vulnerabilities when used in conjunction with AES

[+] Using a mobile device with iOS (iPhone) or Android it is the fastest to setup and configure, as it is supported natively (no additional software required to install)

[+] IP change and Encryption for ALL Applications

[+] Easy Profile installation for iOS, one click and go


Downsides of IKEv2:

[-] None yet..

 


Connect details:

Hostname: uXXXXX.nvpn.so (your uXXXXX.nvpn.so hostname you can find in your .ovpn config file)
Username: Your VPN username
Password: Your VPN password
Download "client.p12": here
Certificate password: nvpn 

 

 

Windows Vista/7/8/10 Certificate setup procedure

Instaling the required "client.p12" Certificate *german version* (english version here):


1. Start off and click on the Start Menu and type “mmc” into the search box (or simply click on  Win key + R)

https://nvpn.net/images/ikev2_german_1.jpg

2. Click on Datei -> Snap-in hinzufügen/entfernen.. (or simply do STRG + m)

https://nvpn.net/images/ikev2_german_2.jpg

3. Choose "Zertifikate" and double click it

https://nvpn.net/images/ikev2_german_3.jpg

4. Choose "Computerkonto" and click weiter, in next window keep all as it is and click Fertig stellen

https://nvpn.net/images/ikev2_german_4.jpg

 

https://nvpn.net/images/ikev2_german_5.jpg

 

https://nvpn.net/images/ikev2_german_6.jpg

5. Open "Zertifikate (Lokaler Computer)" -> "Eigene Zertifikate" -> "Zertifikate" and there click on Importieren

https://nvpn.net/images/ikev2_german_7.jpg

Choose the location of the Certificate "client.p12" file (i created an ikev2 folder in Downloads only for presentation purposes) now choose "Privater Informationsautausch *.pfx; *.p12" so you can find the file.

https://nvpn.net/images/ikev2_german_8.jpg


Once you see the file, choose it and proceed..

https://nvpn.net/images/ikev2_german_9.jpg

 

In next window do everything as shown below and use as password: nvpn 

https://nvpn.net/images/ikev2_german_10.jpg

https://nvpn.net/images/ikev2_german_11.jpg

 

Now finish the import wizard and your window must look the same as below! We see two certs "nVpn Root CA" and "nvpn.so"

https://nvpn.net/images/ikev2_german_12.jpg

 

Now important: As next step we need to copy these two files into "Vertrauenswürdige Stammzertifizierungsstellen" as well, so select the two files and make a COPY.

https://nvpn.net/images/ikev2_german_13.jpg

Open the "Vertrauenswürdige Stammzertifizierungsstellen" -> "Zertifikate" tree and there choose "Einfügen"

https://nvpn.net/images/ikev2_german_14.jpg

Verify that the two files are showing up

https://nvpn.net/images/ikev2_german_15.jpg 

 

6. The import of the required certificates is now finished, we proceed to the next important step in where we have to edit a registry key and add a new DWORD value, so open your registry now:

"Windows Start button"
"regedit"

once in registry navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters" and there add a new DWORD value named "DisableIKENameEkuCheck" and set its value to "1"

https://nvpn.net/images/ikev2_german_16.jpg

https://nvpn.net/images/ikev2_german_17.jpg

Verify that everything looks as below, so that "DisableIKENameEkuCheck" exists and that its value is "1"

https://nvpn.net/images/ikev2_german_18.jpg

 

Important note: Windows 10 in its current state has bugs (latest build tested: 10240) with IKEv2, if you use the "normal" setup method your IP will NOT change!
In the meantime we have found a workaround that requires just a few extra steps, if you use Windows 10 then make sure to proceed from step 7.2 now, otherwise if you use Windows vista/7/8 then proceed with 7.1

 

Step 7.1 (Windows vista/7/8)

If everything is done we proceed to the L2TP/IPsec IKEv2 connection settings. Click on the Start Menu and type “VPN” into the search box.

https://nvpn.net/images/01_l2tp.png

 

Enter your unique "uXXXXXX.nvpn.so" hostname in the Internet address field (you find your DNS hostname in your .ovpn config file!!) and set as Destination name "nVPN" for example. Lastly, make sure that the checkbox labelled “Don’t connect now; just set it up so I can connect later” is checked. Then click the “Next” button.

https://nvpn.net/images/02_l2tp.jpg


Enter your VPN Username and your VPN Password and tick "Remember this password". Then click the "Create" button.

https://nvpn.net/images/03_l2tp.jpg

 

Click on the Start Menu, type the word “Network” into the search box, and click on “Network and Sharing Center”.

https://nvpn.net/images/04_l2tp.jpg

 

When the Network and Sharing Center opens, click on “Connect to a network”.

https://nvpn.net/images/05_l2tp.jpg

 

When you click on “Connect to a network”, a list of Connections appears. Right click on the “nVPN” connection and choose “Properties”.

Go to options tab and make sure to DISABLE the "Include Windows logon domain" (in german: "Windows Anmeldedomäne einbeziehen") exactly as shown below!

https://nvpn.net/images/ikev2_german_19.jpg

 

Hover to Security tab and choose as type "IKEv2" and choose "EAP-MSCHAP v2"

https://nvpn.net/images/ikev2_german_20.jpg

Click on Advanced settings and DISABLE the Mobility check

https://nvpn.net/images/ikev2_german_21.jpg

 

Thats it for the settings, finally time to connect! Again we go to "Connect to a network" and "nVPN" will be showing up in the connection list. Click on "Connect".

https://nvpn.net/images/05_l2tp.jpg

Click on "Connect" like shown in both panels and thats it!

https://nvpn.net/images/08_l2tp.png https://nvpn.net/images/09_l2tp.png

Setup for Windows Vista/7/8 is at this point finished, after the successful connect, verify your IP change here: http://check.nvpn.net 

 


7.2 (Windows 10 only!)

Download following file and place it on your Desktop nVPN-IKEv2.pbk (Important: use "Save Link As.." and save it on your desktop)

Go to your desktop and double click on this "nVPN-IKEv2.pbk" file: 

https://nvpn.net/images/double_click.jpg

a new Window appears, click OK:

https://nvpn.net/images/leerer_telefonbuch_eintrag.jpg

Choose "Arbeitsplatznetzwerk":

https://nvpn.net/images/arbeitsplatznetzwerk.jpg

Enter your unique "uXXXXXX.nvpn.so" hostname in the Internet address field (you find your DNS hostname in your .ovpn config file!!) and set as Destination name "nVPN-IKEv2" for example. Lastly, make sure that the checkbox labelled “Save login” is checked. Then click the “Erstellen” button.

https://nvpn.net/images/erstelle_verbindung.jpg

Click "Eigenschaften"

https://nvpn.net/images/eigenschaften.jpg

Hover to the "Sicherheit" tab and select "IKEv2"

https://nvpn.net/images/sicherheit.jpg

Click on "Erweiterte Einstellungen" and disable "Mobilität":

https://nvpn.net/images/mobility.jpg

Choose Datenverschlüsselung and select "Erforderlich (Verbindung trennen, falls Server dies ablehnt)"

https://nvpn.net/images/sicherheit2.jpg

Under Authentifizierung select "(EAP-MSCHAP v2) (Verschlüsselung aktiviert)"

https://nvpn.net/images/sicherheit3.jpg

If you dont use IPv6 make sure to disable it, otherwise keep it activated:

https://nvpn.net/images/netzwerk.jpg

If everything completed, click on OK and start to connect:

https://nvpn.net/images/verbinden.jpg

https://nvpn.net/images/verbinden2.jpg


After connecting you will not see anything, to check whether you are properly connected, double click again on the "nVPN-IKEv2.pbk" file located on your desktop and following should appear now:

https://nvpn.net/images/auflegen.jpg 

"Auflegen" means you are successfully connected to IKEv2, verify the IP change here: http://check.nvpn.net 

To disconnect from IKEv2 again, click "Auflegen" and the VPN will disconnect, thats it.

 

 

 

 

Setting up IKEv2 on Mac OS:

Open your Network Preferences, click on the [+] sign and choose "VPN", "Cisco IPSec" and name it "nVPN - IKEv2".

Server Address: uXXXXX.nvpn.so (your uXXXXX.nvpn.so hostname you can find in your .ovpn config file)
Account Name: Your VPN username
Password: Your VPN password
click on "Authentication Settings":
Shared Secret: NVPN0PSK9

Confirm your settings and click on "Apply", now click on "Connect".

 

 


Android setup procedure

1. Go to the Google play store and search for "strongSwan VPN Client"

( alternatively simply use this link: https://play.google.com/store/apps/details?id=org.strongswan.android )

Install the software, but dont open it yet.

2. Open your Android browser and download the required "client.p12" certificate: https://nvpn.net/tools/client.p12 

3. After the download is complete, go to your downloads location click on the "client.p12" file and it will ask for a password to extract, use as password: nvpn

4. A new window opens now, keep all as it is and make sure "Credential use: VPN and apps" (german "Verwendung der Anmeldedaten: VPN und Apps") is chosen and hit OK. Installation of the certificate is finished.

5. Open the "strongSwan VPN Client" now and click on "ADD VPN PROFILE" (german "PROFIL HINZUFÜGEN") and use settings like below.


Server: YourCountryHere.nvpn.so    <------ "YourCountryHere" must be replaced with your currently assigned country shortname, you can find the shortname for each country in the members area, so for example: if you use Germany the shortname would be "ger" and the final hostname is therefore "ger.nvpn.so" and it must be typed in small letters!!
Type: IKEv2 EAP (Username/Password)
Username: Your VPN username
Password: Your VPN password
Profilename: nVPN (IKEv2)
Server-Identity: nvpn.so

 

 

 

For iOS there are two ways to connect: one being the older "Cisco IPsec" and the other being the pure "IKEv2" profile approach, where the "IKEv2" Profile approach is the most modern, recent and preferred way!


1. Setting up pure IKEv2 Profile on iPhone/iPad (iOS):

On your iOS device of choice, open the safari browser and click on the following link: https://nvpn.net/memberss/ikev2.php

Incase you were not currently logged into the members area, you will be redirected to the members area login mask now. Log in and click on the Download link for the "nvpn-ikev2.mobileconfig" file.

iOS now prompts you to install the IKEv2 Profile, allow all installation steps and afterwards head over to the "VPN" section and click on "Connect". A password prompt appears, enter your nVpn account password and thats it, you are connected to the VPN now.

If you want to save your nVpn account password for future use, simply edit the "nVPN" Profile and set your password, so next time it wont be required to the enter the password again. 



2. Alternatively Setting up Cisco IPsec on iPhone/iPad (iOS):

From your Home screen go to "Settings" -> "General" -> "VPN" -> "Add VPN Configuration" -> "IPsec" 

Description: nVPN (IKEv2)
Server: uXXXXX.nvpn.so (your uXXXXX.nvpn.so hostname you can find in your .ovpn config file)
Account: Your VPN username
Password: Your VPN password
Secret: NVPN0PSK9

To connect, save it and activate the "nVPN (IKEv2)" connection.

(39 vote(s))
Helpful
Not helpful