How to use our IPSec RSA (IKEv2)
Posted by Max Biggavelli on 25 September 2014 00:35
[+] IKEv2 is light on bandwidth and faster
[+] IKEv2 is more compatible and portable in many aspects
[+] IKEv2 provides inbuilt NAT Traversal
[+] IKEv2 has inbuilt tunnel liveness checks, if tunnel is broken down on peer, it has facility to detect and re-establish the tunnel
[+] IKEv2 provides comprehensive authentication capabilities. It provides EAP authentication and hence it is suitable to integrate with existing authentication systems in Enterprises
[+] All versions of Windows since 2000/XP and Mac OSX 10.3+ have built in support for IKEv2 (yes, even Windows 10)
[+] Fast speed even while traffic still being encrypted (latest tests show slightly/notably better speed results compared to OpenVPN UDP and even more so over TCP!)
[+] Supports Portforwarding
[+] IPsec is a known secure standard and has shown no known critical vulnerabilities when used in conjunction with AES
[+] Using a mobile device with iOS (iPhone) or Android it is the fastest to setup and configure, as it is supported natively (no additional software required to install)
[+] IP change and Encryption for ALL Applications
[-] None yet..
Hostname: uXXXXX.nvpn.so (your uXXXXX.nvpn.so hostname you can find in your .ovpn config file)
Windows Vista/7/8/10 Certificate setup procedure
Instaling the required "client.p12" Certificate *german version* (english version here):
2. Click on Datei -> Snap-in hinzufügen/entfernen.. (or simply do STRG + m)
3. Choose "Zertifikate" and double click it
4. Choose "Computerkonto" and click weiter, in next window keep all as it is and click Fertig stellen
5. Open "Zertifikate (Lokaler Computer)" -> "Eigene Zertifikate" -> "Zertifikate" and there click on Importieren
Choose the location of the Certificate "client.p12" file (i created an ikev2 folder in Downloads only for presentation purposes) now choose "Privater Informationsautausch *.pfx; *.p12" so you can find the file.
In next window do everything as shown below and use as password: nvpn
Now finish the import wizard and your window must look the same as below! We see two certs "nVpn Root CA" and "nvpn.so"
Now important: As next step we need to copy these two files into "Vertrauenswürdige Stammzertifizierungsstellen" as well, so select the two files and make a COPY.
Open the "Vertrauenswürdige Stammzertifizierungsstellen" -> "Zertifikate" tree and there choose "Einfügen"
Verify that the two files are showing up
6. The import of the required certificates is now finished, we proceed to the next important step in where we have to edit a registry key and add a new DWORD value, so open your registry now:
"Windows Start button"
Verify that everything looks as below, so that "DisableIKENameEkuCheck" exists and that its value is "1"
Important note: Windows 10 in its current state has bugs (latest build tested: 10240) with IKEv2, if you use the "normal" setup method your IP will NOT change!
Step 7.1 (Windows vista/7/8)
If everything is done we proceed to the L2TP/IPsec IKEv2 connection settings. Click on the Start Menu and type “VPN” into the search box.
Enter your unique "uXXXXXX.nvpn.so" hostname in the Internet address field (you find your DNS hostname in your .ovpn config file!!) and set as Destination name "nVPN" for example. Lastly, make sure that the checkbox labelled “Don’t connect now; just set it up so I can connect later” is checked. Then click the “Next” button.
Click on the Start Menu, type the word “Network” into the search box, and click on “Network and Sharing Center”.
When the Network and Sharing Center opens, click on “Connect to a network”.
When you click on “Connect to a network”, a list of Connections appears. Right click on the “nVPN” connection and choose “Properties”.
Go to options tab and make sure to DISABLE the "Include Windows logon domain" (in german: "Windows Anmeldedomäne einbeziehen") exactly as shown below!
Hover to Security tab and choose as type "IKEv2" and choose "EAP-MSCHAP v2"
Click on Advanced settings and DISABLE the Mobility check
Thats it for the settings, finally time to connect! Again we go to "Connect to a network" and "nVPN" will be showing up in the connection list. Click on "Connect".
Click on "Connect" like shown in both panels and thats it!
Setup for Windows Vista/7/8 is at this point finished, after the successful connect, verify your IP change here: http://check.nvpn.net
Download following file and place it on your Desktop nVPN-IKEv2.pbk (Important: use "Save Link As.." and save it on your desktop)
Go to your desktop and double click on this "nVPN-IKEv2.pbk" file:
a new Window appears, click OK:
Enter your unique "uXXXXXX.nvpn.so" hostname in the Internet address field (you find your DNS hostname in your .ovpn config file!!) and set as Destination name "nVPN-IKEv2" for example. Lastly, make sure that the checkbox labelled “Save login” is checked. Then click the “Erstellen” button.
Hover to the "Sicherheit" tab and select "IKEv2"
Click on "Erweiterte Einstellungen" and disable "Mobilität":
Choose Datenverschlüsselung and select "Erforderlich (Verbindung trennen, falls Server dies ablehnt)"
Under Authentifizierung select "(EAP-MSCHAP v2) (Verschlüsselung aktiviert)"
If you dont use IPv6 make sure to disable it, otherwise keep it activated:
If everything completed, click on OK and start to connect:
"Auflegen" means you are successfully connected to IKEv2, verify the IP change here: http://check.nvpn.net
Setting up IKEv2 on Mac OS:
Open your Network Preferences, click on the [+] sign and choose "VPN", "Cisco IPSec" and name it "nVPN - IKEv2".
Server Address: uXXXXX.nvpn.so (your uXXXXX.nvpn.so hostname you can find in your .ovpn config file)
Confirm your settings and click on "Apply", now click on "Connect".
1. Go to the Google play store and search for "strongSwan VPN Client"
( alternatively simply use this link: https://play.google.com/store/apps/details?id=org.strongswan.android )
Install the software, but dont open it yet.
2. Open your Android browser and download the required "client.p12" certificate: https://nvpn.net/tools/client.p12
3. After the download is complete, go to your downloads location click on the "client.p12" file and it will ask for a password to extract, use as password: nvpn
4. A new window opens now, keep all as it is and make sure "Credential use: VPN and apps" (german "Verwendung der Anmeldedaten: VPN und Apps") is chosen and hit OK. Installation of the certificate is finished.
5. Open the "strongSwan VPN Client" now and click on "ADD VPN PROFILE" (german "PROFIL HINZUFÜGEN") and use settings like below.
For iOS there are two ways to connect: one being the older "Cisco IPsec" and the other being the pure "IKEv2" profile approach, where the "IKEv2" Profile approach is the most modern, recent and preferred way!
On your iOS device of choice, open the safari browser and click on the following link: https://nvpn.net/memberss/ikev2.php
Incase you were not currently logged into the members area, you will be redirected to the members area login mask now. Log in and click on the Download link for the "nvpn-ikev2.mobileconfig" file.
iOS now prompts you to install the IKEv2 Profile, allow all installation steps and afterwards head over to the "VPN" section and click on "Connect". A password prompt appears, enter your nVpn account password and thats it, you are connected to the VPN now.
From your Home screen go to "Settings" -> "General" -> "VPN" -> "Add VPN Configuration" -> "IPsec"
Description: nVPN (IKEv2)
To connect, save it and activate the "nVPN (IKEv2)" connection.