Reset Search
 

 

Article

KB25334 - How to configure the IKEv2 on a Windows 7 PC via machine certificates

« Go Back

Information

 
Last Modified Date11/23/2015 8:19 PM
Synopsis
This article provides information on how to configure the IKEv2 (Internet Key Exchange ) on a Windows 7 PC via machine certificates.

 

Problem or Goal
Cause
Solution
  1. Under Configuration > IKEv2 > Port/Realm Mapping, select the port and realm corresponding to where IKEv2 traffic will be sent.
  2. Click Add.

In this example, IKEv2 will be sent to the internal port and tied to the "IKEV2" realm.

Note that you must make adjustments from the provided example if the traffic will be sent to the external port and a realm with a different name.

  1. Under Realm/Protocol Set Mapping, select the corresponding realm name and set protocol set to EAP-MSCHAP-V2.
  2. Click Add > Save Changes.

  1. Under Configuration > Certificates > Device Certificates, ensure there is a trusted and valid device certificate installed on the PCS device and bound to the port configured in earlier.

  1. Under the Trusted Client CA, install the certificate authority that signed the device certificate.  If the certificate is chained, install the complete chain here.

  1. Configure/create a certificate authentication server on the Junos Pulse Secure Access device.  Click Save Changes.

  1. Navigate to User Realms > [User Realm Name] > Role Mapping > New Rule.  From the "Rule based on" drop down, select Custom Expressions and click Update.
  2. For the name of the role mapping rule, enter "IKEV2," then click Expressions.  Configure role mapping based on the custom expression below. Click Save Changes.

 

  1. Assign the corresponding role to the "IKEv2" custom expressions.  Click Save Changes.

  1. Under the corresponding user role, ensure that VPN Tunneling is enabled.

  1. Configure the network connect ACLs and connection profile.


Client Configuration

  1. Run mmc.exe.
  2. From the console window, click File > Add/Remove Snap-in.
  3. From the list, select Certificates and click Add > Computer account.  Click Next.

  1. Select Local Computer.  Click Finish.

 

  1. From the left pane, navigate to Console Root > Certificate (Local Computer) > Personal.
  2. Under Personal, right-click the Certificates folder, then select All Tasks > Import.
  3. The Certificate import wizard will appear.  Click Next.

  1. Click Browse.
  2. Navigate to the created machine certificate (should be a PFX or P12 file) and click Open.
  3. Click Next.

  1. Select Automatically select the certificate store based on the type of certificate.  Click Next.

  1. Click Finish.

  1. After a successful import, the machine certificate will appear in the right pane.

  1. Under Trusted Root Certification Authorities, right-click Certificates, then select All Tasks > Import.  Repeat Steps 5-8 and import the root certificate authority and its chain for the device certificate.

 

  1. From the Windows 7 machine, navigate to Start menu > Control Panel > Network and Sharing Center > Set up a new connection or network.

  1. Select Connect to workplace.

  1. Select Use my Internet connection (VPN).

  1. For internet address, enter the address of the PCS device (this must match the common name of the device certificate).

For the destination name, leave it as "VPN Connection."

Click the checkbox Don't connect now; just set it up so I can connect later > Next.

  1. Enter a pseudo username, password, and domain, as machine certificates are going to be used.  Click Create.

 

  1. Under network connections, a new connection named "VPN Connection" will exist.
  2. Right-click VPN Connection, then click Properties > General.  Ensure that the hostname/IP address matches the common name of the device certificate installed on the Junos Pulse Secure Access device.
  3. Under the Security tab, from the "Type of VPN" drop down, select IKEv2.  Select the radio button for Use machine certificate. Click OK.

  1. The VPN is connected and Internet access is not allowed for the user.

In this case, only intranet access is allowed.

 

 
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255