UserGate Client IKEv2 with certificate

To connect VPN clients to the corporate network, NGFW needs to be configured for working in the VPN server role, and the user with the UserGate Client software installed acts as a VPN client. When a VPN is created using IKEv2/IPSec, the IKEv2 protocol exchanges keys and establishes and manages a secure connection. Before establishing an IKEv2 IPsec tunnel, devices must authenticate to each other, ensuring that they are legitimate. This includes the use of pre-negotiated certificates. The certificates are verified:

  • Over an encrypted channel, the VPN client sends a user certificate and encrypted data signed with a private key.

  • The VPN server decrypts the data using the client's public key and compares it with its control set, checking whether the client has a private key.

  • The VPN server, according to the configured user certificate profile, checks the client certificate against the specified certificate chain.

  • The VPN server checks for revoked certificates.

  • The VPN server checks the UPN attributes of the user specified in the authentication profile with the attributes in the CN and\or SAN:principal name certificate.

  • If any of the four steps fails, the connection will not be established.

  • If all checks are passed, the VPN server, for its part, sends its certificate and encrypted data signed with its private key, as well as the presence of the second factor (if specified).

  • The client checks the authenticity of the server's signature and the correspondence of subjectAlternativeName to the address to which it connected.

Follow these steps:

Name

Description

Step 1. Allow the VPN service in the zone to which VPN clients will connect.

In the Network ➜ Zones section, edit the access control settings for the Untrusted zone to which VPN clients will connect and enable the VPN and Connecting endpoints services.

Step 2. Create a zone where the clients connecting using a VPN will be placed.

In the Network ➜ Zones section, create the VPN for remote access zone where the clients connecting through a VPN will be placed.

There is already a default zone VPN for remote access.

Step 3. Create a NAT rule for the newly created zone.

In order for connected VPN clients to be able to access the Internet through the NGFW tunnel, it is necessary to create a NAT rule from the VPN for remote access zone to the Untrusted zone. Create the corresponding rule in the Network policies ➜ NAT and routing section.

As an example, a rule named NAT from VPN for remote access to Trusted and Untrusted is created in NGFW that allows IP address substitution from the zone VPN for remote access to the Trusted and Untrusted zones.

Step 4. Create a firewall rule that allows traffic from the zone created earlier.

In the Network policies ➜ Firewall section, create a firewall rule that allows traffic from the zone you created to other zones.

For example, the rule VPN for remote access to Trusted and Untrusted is created in NGFW.

Шаг 5. Create authentication profile.

Create a profile for VPN users in the Users and devices ➜ Auth profiles section. Specify the Authentication method.

Note that transparent authentication methods such as Kerberos, NTLM, or SAML IDP cannot be used for VPN authentication.

VPN supports multi-factor authentication. The second factor can be received in the form of TOTP single-use codes. To enter the second authentication factor, the user connecting to the VPN server should provide the single-use code.

For more details on authentication profiles, see the Authentication Profiles section.

Step 6. Create a user group.

Create a groupe for VPN users in the Users and devices ➜ Groups section.

Please note that the user's UPN attribute must match the CN and/or SAN: the principal name attributes in the user certificates issued on the client.

Step 7. Create certificates.

In the UserGate ➜ Certificates section, create or import a root certificate of the certification authority and a certificate with a private key.

For details on creating certificates, see Appendix 6. Examples of certificate generation for IKEv2 VPN.

Шаг 8. Create a user certificate profile.

Create a profile in the UserGate ➜ User certificate profiles section.

For more details on user certificate profiles, see the Client Certificate Profiles section.

Step 9. Add the certificate to the settings section.

In the UserGate ➜ Settings section, specify in the Endpoint certificate section the previously added certificate with a private key.

Step 10. Create a VPN server security profile.

In the VPN security profile settings, the encryption and authentication algorithms are defined. Multiple profiles may be used for connecting to different client types.

In the VPN ➜ Server security profiles section, click Add, and fill in these fields:

  • Name: the name of the security profile

  • Description: a description of the profile.

  • IKE version: IKEv2: create a secure link using IKEv2.

  • ID type: None. Used when the IKE local ID parameter is not required for establishing a connection between the VPN server and the UG Client. IKE local ID parameter type:

    • IPv4: the host's IP address.

    • FQDN: the host's address in the fully-qualified domain name (FQDN) format.

  • ID value: the IKE local ID value in the format specified above.

  • Server certificate: select a server certificate for authentication using certificates.

  • Authentication mode: using PKI certificates.

  • User certificate profile: specify a configured user certificate profile.

Next, the settings for the first and second phases of tunnel negotiation need to be configured.

In the first phase, IKE security is negotiated. The authentication is done using a pre-shared key in the mode selected earlier. Provide the following settings:

  • Key lifetime: the time period after which the parties re-authenticate and re-negotiate the first-phase settings.

  • Dead peer detection: the Dead Peer Detection (DPD) mechanism is used to check the functionality of the channel and timely disconnect/reconnect it when the connection is lost. DPD sends R-U-THERE messages periodically to check if the IPsec neighbor is available. There are 3 operating modes of the mechanism:

    • off: the mechanism is disabled.​ DPD requests are not sent.

    • always on: DPD requests are always sent within the specified time interval. If no response is received, additional requests are sent sequentially at intervals of 5 seconds in the number specified in the Failures field. If there is a response, the mechanism returns to the initial interval for sending DPD requests, and if there is no response, the connection is terminated.

    • Idle: DPD requests are not sent while there is ESP traffic through the created SAs. If there are no packets within twice the specified time interval, then a DPD request is sent. If there is a response, a new DPD request will be sent again after a double interval of the specified time. If no response is received, additional requests are sent sequentially at intervals of 5 seconds in the number specified in the Failures field. If there is no response, the connection is terminated.

  • Diffie-Hellman groups: select the Diffie-Hellman group that will be used for key exchange. Instead of the key itself, certain general information is transmitted that the DH key generation algorithm needs to create the shared secret key. The larger the Diffie-Hellman group number, the more bits are used to make the key secure.

  • Security: the algorithms are used in their listing order. To reorder the algorithms, drag and drop them with the mouse or use the Up/Down buttons.

In the second phase, the method for securing IPsec connections is selected. You need to specify the following:

  • Key lifetime: the time period after which the nodes must rotate the encryption key. The lifetime for the second phase is shorter than for the first one, which entails a more frequent key rotation.

  • Key lifesize: the key lifetime can also be expressed in bytes and is called lifesize in that case. If both values (Key lifetime and Key lifesize) are specified, the counter that reaches the limit first will trigger session key re-generation.

  • Enable NAT keepalive: used in scenarios when IPsec traffic goes through a NAT node. NAT table entries are active for a limited time. If there was no VPN traffic over the tunnel during that time span, NAT table entries on the NAT host will be deleted, preventing further passage of VPN traffic. The VPN server located behind the NAT gateway uses NAT keepalive function to periodically send keepalive packets to a peer node in order to keep the NAT session active.

  • Security: the algorithms are used in their listing order. To reorder the algorithms, drag and drop them with the mouse or use the Up/Down buttons.

Step 11. Create a VPN interface.

A VPN interface is a virtual network adapter that will be used to connect VPN clients. This is a cluster-type interface, which means that it will be created automatically on all UserGate nodes included in a configuration cluster. If an HA cluster exists, in case any problems are identified with the active server, VPN clients will be automatically switched to a backup server, and without terminating existing VPN connections.

In the Network ➜ Interfaces section, click Add and select Add VPN. Provide the following settings:

  • Name: the name of the interface. Should be in the form tunnelN, where N is the ordinal number of the VPN interface.

  • Description: a description of the interface.

  • Zone: the zone to which this interface will belong. All clients with a VPN connection to NGFW will be placed in the same zone. Specify the zone created at Step 2.

  • Netflow profile: the Netflow profile used for this interface. This parameter is optional.

  • Mode: a static IP address must be used.

  • MTU: the MTU size for the selected interface.

Step 12. Create a VPN network.

A VPN determines the network settings that will be used for connecting the client to the server. This is primarily the assignment of IP addresses to the clients inside the tunnel, the DNS settings, and the routes that will be passed to the clients that support the use of routes assigned to them. Multiple tunnels may be used with different settings for different clients.

To create a VPN tunnel, go to VPN ➜ VPN networks, click Add, and fill in these fields:

  • Name: the name of the network.

  • Description: a description of the network.

  • IP address range: the range of IP addresses that will be used by the clients and server. Exclude the addresses assigned to the VPN interface used with this network from the range. Do not enter network addresses or the broadcast address here.

  • Specify the DNS servers that will be passed to the client or set the Use system DNS checkbox, in which case the client will be assigned the DNS servers used by NGFW.

    Important! A maximum of two DNS servers can be specified.

  • VPN routes: specify the routes sent to the client as an IP address with a mask or a predefined IP address list.

  • UserGate client routes: the tab used to edit the routes sent to the clients with the UserGate client software installed.

Step 13. Create a VPN server rule.

Create a VPN server rule using the VPN network, interface, and profile created earlier. To create the rule, go to VPN ➜ Server rules, click Add, and fill in these fields:

  • Enabled: the checkbox to enable/disable the rule.

  • Name: the name of the rule.

  • Description: a description of the rule.

  • VPN Security profile: the server security profile created earlier.

  • VPN network: the VPN network created earlier.

  • Auth profile: the authentication profile created earlier.

For more information on setting up two-factor authentication via TOTP for VPN connections, see the Multi-Factor Authentication with Time-Based One-Time Passwords (TOTP) section.

  • Interface: the VPN interface created earlier.

  • Source: the zones and IP addresses from which VPN connections are allowed. Normally, the clients are on the Internet, so specify the Untrusted zone.

Important! The traffic processing logic is as follows:
-- The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.
-- The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

  • Destination: one or more interface addresses to which the clients will connect. The interface must belong to the zone specified at Step 1.

  • Users: a user group or individual users for whom VPN connections are allowed.

Important! To apply different server rules to different clients, use the Source zone and Source address settings. The Users setting does not govern the selection of a server rule, as the user is checked only after the VPN connection has been established.

Step 14. Configure a VPN connection on the client computer.

When authentication is done using certificates based on the Public Key Infrastructure (PKI), install the client certificate on the workstation into the Local Machine repository using the option Automatically select the certificate store. Examples of generating authentication certificates can be found in the Appendix.

To configure a VPN connection on a user's computer, provide these settings:

  • Installing UserGate VPN Client software on a workstation.

  • Install the certificate on the workstation into the Local Machine repository using the option Automatically select the certificate store.

  • VPN server IP address: the IP address of an interface from the zone specified at Step 1.

For more details on using UserGate Client endpoints in conjunction with NGFW, see the UserGate Client Endpoints section.
Note When changing the VPN server settings (changing server rules, changing security profiles, adding new VPN networks), the VPN server does not reboot, so previously established active VPN client sessions are not terminated. A reboot of the VPN server and reconnection of active VPN client sessions may occur if the IP address of the tunnel interface of the VPN server is changed.