For IKEv2 limitations and initial setup, refer to the the latest admin guides for Pulse Connect Secure devices. In addition to the Admin Guide information, adhere to the following requirements for MSCHAPv2 authentication to work properly.
Pulse Connect Secure Configuration:
- Make sure that the PCS Device Certificate has EKU (Enhanced Key Usage) support for
- Web Server Authentication
- Web Client Authentication:
- Create a new PCS Local Auth Server and select the Password stored as clear text check box.
- Create a User Realm and use the Local Auth Server for Authentication, which was created in Step 2, to create a Role Mapping rule for username as *.
- To configure IKEv2, go to Configuration > IKEv2, assign the proper port to the User Realm, and set the User Realm to use EAP-MSCHAP-V2:
- Under the User Role, make sure that the VPN tunneling check box is selected:
Windows 7 Configuration:
- Install the Root CA certificate from the certificate server/CA which issued the device certificate for the SA, under the Trusted Root Certification Authorities > Certificates folder on the Local Computer (Computer Account). Use MMC.exe to import it to the proper folder. Ignore this step if root CA certificate is already present
The following image illustrates the MMC console for the Local Computer (Computer Account) certificate store:
- Create a new VPN connection and configure it for IKEv2 (select the option to create but not connect immediately). After the VPN is on the system, modify the security policies as below:
The following image illustrates the Windows 7 IKEv2 configuration: