Technical Note: Configure IKEv2 IPsec VPN with Windows Phone 8.1, Windows 8.1
This article explains how to configure IKEv2 IPsec VPN with Windows Phone 8.1 and Windows 8.1 using user credentials.
Windows Phone 8.1 supports IPsec VPN in 2 modes:
• IKEv2 IPsec VPN • L2TP/IPsec VPN
IKEv2 IPsec VPN is the preferred way of configuration on FortiGate devices.
For user authentication the Extensible Authentication Protocol also known as “EAP” is used. Two methods are supported:
• Username and password [PEAP-MSCHAPv2] • Certificate [EAP-TLS]
This guide explains the 'username and password' option.
When using EAP with Windows Phone the certificate authentication during IKEv2 exchange must be used.
In this case the Certificate Authority root certificate used to sign FortiGate certificate for VPN must be imported to Windows Phone. It may not be needed if well know public Certificate Authority is used.
WP8.1 users === (port1)[FGVM-5.2](port2) === LAN
- Imported root CA certificate on FortiGate - Imported certificate on FortiGate and signed by CA - Imported root CA certificate on Windows Phone
1) Create local user and group
config user local edit local\\user1 set type password set passwd pass1 next end config user group edit GRP-ipsec set member local\\user1 next end
2) Configure IPsec phase 1
config vpn ipsec phase1-interface edit "ipsec-clients" set type dynamic set interface "port1" set ike-version 2 set authmethod signature set mode-cfg enable set ipv4-dns-server1 22.214.171.124 set ipv4-dns-server2 126.96.36.199 set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256 set dhgrp 15 14 2 set eap enable set eap-identity send-request set authusrgrp "GRP-ipsec" set certificate "FG-certificate" set ipv4-start-ip 172.16.10.10 set ipv4-end-ip 172.16.10.100 set ipv4-netmask 255.255.255.0 next end
3) Configure IPsec phase 2
config vpn ipsec phase2-interface edit "ipsec-clients-p2" set phase1name "ipsec-clients" set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256 set dhgrp 15 14 2 set keylifeseconds 1800 next end
The main IPsec configuration is now complete. To get IPsec working the firewall policy must exist.
4) Configure address objects
config firewall address edit LAN set associated-interface "port2" set subnet 10.10.0.0 255.255.252.0 next edit LAN-IPsec-Clients set associated-interface "ipsec-clients" set subnet 172.16.10.0 255.255.255.0 next end
5) Configure firewall policy
config firewall policy edit 0 set srcintf "ipsec-clients" set dstintf "port2" set srcaddr "LAN-IPsec-Clients" set dstaddr "LAN" set action accept set schedule "always" set service "ALL" next end
Windows Phone configuration
1. Go to “Settings > VPN” and select + to add new profile 2. Enter server name or IP address 3. Select type “IKEv2” 4. Select username+password in “Connect using” 5. Set “User name” to local\user1 6. Set password to pass1 7. Configure rest of settings
1. Windows Phone VPN support is designed for Enterprise usage. It expects credentials in the form “domain\username” to work properly. It is why the user in this guide is set to “local\user1” as local authentication is used.
If only “user1” is used as credential on the Windows Phone it will send the username as “Windows Phone\user1” and then this user has to be on FortiGate to match.
For Enterprise deployment configure user group with one of the remote authentication options (RADIUS, LDAP).
2. Configuration for desktop Windows 8.1 is the same. It is different in that Windows 8.1 does not add any domain to the username if not in Domain.