This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 22%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPY%3C/text%3E%3C/svg%3E)
I built an RRAS server on Windows 2016 (tested in 2022 too) for the purpose of using IKEv2 service.
So I prepared the certificate template from my authority with the following parameters:
I was then able to request a certificate by positioning the correct common name (external and internal DNS names) and associating it in the RRAS config, security tab.
Authentication Methods:
Then from elevated powershell on server:
Set-VpnServerConfiguration -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SAData SizeForRenegotiationKilobytes 1024000
$rootcert = ( Get-ChildItem -Path cert:LocalMachine\root | Where-Object -FilterScript { $_.Subject -Like "*CN=myorga*" } )
Set-VpnAuthProtocol -RootCertificateNameToAccept $rootcert -PassThru
Restart-Service RemoteAccess -PassThru
From Windows client in elevated prowershell after created the IKE connection in IKEv2 mode:
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKE" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force
This client is on the same domain so through a GPO the machine already have the root CA certif on his container, and the connection works for my Windows client, but unable to get the connection to work on MacOS, Iphone, Android 12+ and linux.
On each of the cases where it does not work I was able to integrate the root certificate without problem so my concern does not come from there, in the logs of the linux machine I have the following sample:
Root CA has been placed on trusty CA, I downloaded the RRAS certif to use it on the config, select authentication EAP, and specified Ciphers as:
IKE=aes128-sha256-modp2048
For ESP I use:
ESP=aes128-sha256
And same result with :
ESP=aes128-sha256-modp2048
Jun 26 13:35:16 LAP charon-nm: 07[IKE] authentication of 'CN=internal-name, CN=external-name' with RSA signature successful
Jun 26 13:35:16 LAP charon-nm:07[IKE] server requested EAP_IDENTITY (id 0x00), sending 'user-test'
Jun 26 13:35:16 LAP charon-nm: 07[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Jun 26 13:35:16 LAP charon-nm: 07[NET] sending packet: from IP-LAN[45713] to IP-PUB[4500] (96 bytes)
Jun 26 13:35:16 LAP charon-nm: 16[NET] received packet: from IP-PUB[4500] to IP-LAN[45713] (112 bytes)
Jun 26 13:35:16 LAP charon-nm:16[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 26 13:35:16 LAP charon-nm:16[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
Jun 26 13:35:16 LAP charon-nm: 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 26 13:35:16 LAP charon-nm: 16[NET] sending packet: from IP-LAN[45713] to IP-PUB[4500] (144 bytes)
Jun 26 13:35:16 LAP charon-nm: 09[NET] received packet: from IP-PUB[4500] to IP-LAN[45713] (128 bytes)
Jun 26 13:35:16 LAP charon-nm:09[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jun 26 13:35:16 LAP charon-nm:09[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
Jun 26 13:35:16 LAP charon-nm:09[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jun 26 13:35:16 LAP charon-nm: 09[NET] sending packet: from IP-LAN[45713] to IP-PUB[4500] (80 bytes)
Jun 26 13:35:16 LAP charon-nm: 08[NET] received packet: from IP-PUB[4500] to IP-LAN[45713] (80 bytes)
Jun 26 13:35:16 LAP charon-nm:08[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Jun 26 13:35:16 LAP charon-nm: 08[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun 26 13:35:16 LAP charon-nm:08[IKE] authentication of 'user-test' (myself) with EAP
Jun 26 13:35:16 LAP charon-nm:08[ENC] generating IKE_AUTH request 5 [ AUTH ]
Jun 26 13:35:16 LAP charon-nm: 08[NET] sending packet: from IP-LAN[45713] to IP-PUB[4500] (112 bytes)
Jun 26 13:35:16 LAP charon-nm: 11[NET] received packet: from IP-PUB[4500] to IP-LAN[45713] (80 bytes)
Jun 26 13:35:16 LAP charon-nm: 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
Jun 26 13:35:16 LAP charon-nm: 11[IKE] AUTH payload missing
Jun 26 13:35:16 LAP charon-nm: 11[ENC] generating INFORMATIONAL request 6 [ N(AUTH_FAILED) ]
Jun 26 13:35:16 LAP charon-nm: 11[NET] sending packet: from IP-LAN[45713] to IP-PUB[4500] (80 bytes)
Impossible in the state to pass a connection with something other than the Windows machine.
So the question, are we sure that devices other than Windows can access a Windows 2016 or later IKEv2 (EAP / MSChapv2) VPN server?
And if so, does my concern speak to someone?
Thanks for reading me !
Ok I think I have something, I modified my certificate template to add in Alternative Name of DNS type the public name of my server and it works on my IPAD, always the problem of AUTH payload missing on linux, on the mac it doesn't connect but if it works with the iPad I think I shouldn't be far off, and on windows clients still no problem.
I'm not very far away!
Ok so my problem is solved, this came from the fact that I had to add to my certificate during generation the subject name with the common name corresponding to my public DNS, but also the Alternative name field of DNS type with also the public name, quite simply.