IKEv2 mobile IPsec VPN - Pre-shared key authentication

This document describes the VPN configuration required to allow remote users – also known as mobile or nomad users – to securely access their internal corporate networks from a Microsoft workstation on which SN VPN Client Standard has been installed.

The authentication method presented in this tutorial relies on the use of each user’s pre-shared key.
The IPsec tunnels described in this technical note use version 2 of the IKE protocol.

Two configuration modes are covered here:

  • Config mode, in which clients automatically receive all the network parameters needed to set up the IPsec VPN tunnel. While this mode may seem simpler, it has a major limitation: only one network can be defined, and is protected by the firewall that mobile users can reach. Network groups or multiple networks therefore cannot be selected.
  • Manual assignment of IP addresses to each user and manual configuration of the VPN client. Unlike Config mode, in this configuration, you can define several networks that are protected by the firewall and can be contacted by mobile users.

Requirements

  • An LDAP directory must be configured on the firewall.
    If this has not yet been done, refer to the section Directories configuration in the SNS User guide.
  • Every user defined in the LDAP directory must have an individual e-mail address.
  • Install on the Microsoft client workstation SNS VPN Client, available in Downloads > Stormshield Network Security > VPN Client in your Mystormshield area (a software license is required after a trial period of 30 days) or from the IPsec VPN client TheGreenBow.
  • The IPsec policy used must contain only IKEv2 IPsec peers (site-to-site and mobile tunnels).