Configuring the VPN client

On the user's Microsoft Windows workstation, open the connection window of VPN Exclusive client by using administrator privileges:

  1. Right-click on the icon found in the Windows system tray (hidden icons):
  2. Select the Configuration panel menu.

Configuring Phase 1

  1. In the VPN configuration tree, right-click on IKEv2.
  2. Select New IKE auth.
    An entry named Ikev2Gateway by default is added to the IKEv2 tree.
  3. Right-click on Ikev2Gateway and select Rename to give this entry the name of your choice (IKEv2GwEAPCERT in this example).
  4. Click on this entry.
  5. In the Authentication > Remote router address tab > Remote router address field, enter the public IP address or FQDN of the firewall with which the VPN client must set up a tunnel.
    If you choose to use an FQDN, ensure that the DNS servers on the workstation have resolved it before you set up the tunnel.
  6. In the Authentication > Integrity tab, select the checkboxes:
    • EAP,
    • EAP popup,
    • Multiple AUTH support.
  7. Click on Import certificate and select P12 format.
  8. Select the user’s P12 certificate, which must have been installed in advance on the user’s workstation.
  9. Enter the password to protect the certificate, which was set when exporting the user’s identity on the firewall, and confirm by clicking on OK.

  10. In the Protocol > Advanced features tab, select the Fragmentation checkbox and indicate the size of IKE fragments as defined on the firewall (1280 bytes according to Stormshield’s recommendations).

  11. Click on the upper menu Configuration > Save to save this configuration.

Configuring Phase 2

  1. In the VPN configuration > IKEv2 tree, right-click on the Phase 1 configuration created earlier (IKEv2GwEAPCERT in the example).
  2. Select New Child SA.
    An entry named Ikev2Tunnel by default is added to the selected Phase 1 configuration.
  3. Right-click on Ikev2Tunnel and select Rename to give this entry the name of your choice.
  4. In the Child SA > Traffic selectors tab,
  5. Select the checkbox Request configuration from the gateway.
  6. Click on the upper menu Configuration > Save to save this configuration.

The VPN client has been configured to set up an IKEv1 tunnel with the firewall in Config mode based on EAP and certificate authentication.