Configuring the VPN client

On the user's Microsoft Windows workstation:, open the connection window of the VPN client:

  1. Right-click on the icon found in the Windows system tray (hidden icons):
  2. Select Connection panel.

For the purposes of the example presented in this tutorial, we assumed that mobile clients could access two separate, discontiguous networks via IPsec: Network 192.168.1.0/24 and Network 192.168.128.0/24.
Two separate Phase 2 configurations therefore need to be created for this configuration – one for each network. You need to create as many Phase 2 configurations as the number of discontiguous networks that the VPN clients can reach.
Do note that each of these Phase 2 configurations will use a separate VPN client IP address.

Configuring Phase 1

  1. In the VPN configuration tree, right-click on IKEv2.
  2. Select New IKE auth.
    An entry named Ikev2Gateway by default is added to the IKEv2 tree.
  3. Right-click on Ikev2Gateway and select Rename to give this entry the name of your choice (Ikev2GwStandard in the example).
  4. Click on this entry.
  5. In the Protocol tab > IdentityLocal ID field, select E-mail from the drop-down list and enter the e-mail address of the workstation user.
  6. In the Protocol tab > Advanced features section, select the Fragmentation checkbox and indicate the size of IKE fragments as defined on the firewall (1280 bytes according to Stormshield’s recommendations).

  7. In the Authentication tab > Remote router address > Remote router address field, enter the public IP address or FQDN of the firewall with which the VPN client must set up a tunnel.
    If you choose to use an FQDN, ensure that the DNS servers on the workstation have resolved it before you set up the tunnel.
  8. In the Authentication tab > Authentication > Preshared key field, enter and confirm the pre-shared key defined for this user on the firewall.
  9. Click on the upper menu Configuration > Save to save this configuration.

Configuring Phase 2 for the first network

  1. In the VPN configuration > IKEv2 tree, right-click on the Phase 1 configuration created earlier (Ikev2GwStandard in the example).
  2. Select New Child SA.
    An entry named Ikev2Tunnel by default is added to the selected Phase 1 configuration.
  3. Right-click on Ikev2Tunnel and select Rename to give this entry the name of your choice (Ikev2Net1Tunnel in the example).
  4. In the Child SA tab > Traffic selectors > VPN Client address field, enter the IP address of the client (192.168.9.1 in the example). This address must belong to the network defined in the section Defining a network object that contains IP addresses assigned to mobile peers.
  5. In the Child SA tab > Traffic selectors > Address type field, select Network address.
  6. In the Remote network address field, enter the address of the first reachable network (192.168.1.0 in the example).
  7. In the Subnet mask field, enter the mask associated with this network (255.255.255.0 in the example).
  8. In the Advanced tab > Alternative servers, if necessary, define a DNS suffix and Alternative (DNS) Servers to be used for this IPsec VPN tunnel.
  9. Click on the upper menu Configuration > Save to save this configuration.

The IKEv2 tunnel to reach the first network in the example is now configured.

Configuring Phase 2 for the second accessible network

Apply the method described in the section Configuring Phase 2 for the first network to define the tunnel that enables access to the second network.

In the example given, the parameters used for the second tunnel are:

  • Phase 2 name: Ikev2Net2Tunnel
  • VPN client IP address: 192.168.9.2
  • Network IP address: 192.168.128.0
  • Mask: 255.255.255.0