Getting started

In versions prior to SNS 4.8, only IKEv1-based mobile tunnels allowed multifactor authentication (MFA) for mobile users via Xauth. IKEv2 does not support Xauth.

As IKEv1 is an old protocol, and the ANSSI recommends IKEv2-based solutions for higher security, SNS version 4.8 introduces multifactor authentication (MFA) support for IKEv2-based mobile tunnels set up via EAP (Extensible Authentication Protocol).

There are two ways to proceed with this multifactor authentication:

  • EAP-Generic Token Card: the mobile peer must present a login/password pair,
  • Certificate and EAP-Generic Token Card: the mobile peer must present a certificate and login/password pair.

NOTE
SN IPsec VPN Client Exclusive v7.4 or a higher version has to be installed on the client workstation in order to be compatible with EAP.

This document describes the required VPN configuration that will allow mobile users to access their company’s internal network through a mobile IKEv2-based IPsec tunnel in config mode, and which uses the Certificate and EAP-Generic Token Card method. The login/password pair is generated by the firewall’s internal LDAP directory.

Do note that the EAP-Generic Token Card method, and Certificate and EAP-Generic Token Card method, use a login/password pair that can be referenced in an internal LDAP directory, external LDAP directory or on a Radius server, for example.

Requirements

  • The user accounts to be used for the IPsec VPN have already been created in an LDAP directory that has been configured as the default directory on the firewall (internal directory in this document).
    The process of creating an LDAP directory (internal or external) is described in the Directory configuration section in the SNS User Guide.
  • Every user configured in the directory must have an individual e-mail address.
  • SN VPN Client Exclusive must be installed on Microsoft client workstations. It can be downloaded from Downloads > Stormshield Network Security > VPN Client in your Mystormshield area (a software license is required after a 30-day trial period) or from the TheGreenBow IPsec VPN Enterprise client.

Limitations

The Certificate and EAP-Generic Token Card method and EAP-Generic Token Card method are not compatible with:

  • IKEv1-based tunnels, which must use Xauth for multifactor authentication.
  • ANSSI Diffusion Restreinte (DR) mode.

 

Date Description
July 9, 2021 New document