Skip to the content
Skip to the Navigation
- Create Root CA [EXAMPLE-ROOT-CA]
- Create CA subordinate to the Root CA [EXAMPLE-SUBORDINATE-CA]
- Create certificate template with EKU
- Server Authentication
- IP security IKE intermediate (capitalization matters)
- Publish the template in AD [IPSecIKEv2.12]
- Generate Certificate signing request on the VPN server using certlm.msc
- Request personal certificate -> All Tasks -> Advanced Operations -> Create Custom Request
- Select template that was just created [IPSecIKEv2.12]
- Click on "Details", "Properties"
- In the "Subject Name" add Common name like "VPNServer.EXAMPLE.com"
- Add:
- "Domain component" (DC) VPNServer
- "Domain component" EXAMPLE
- "Domain component" com (order of requests matters)
- Add "Alternative name" DNS VPNServer.EXAMPLE.com
- Save certificate request file
- On CA server select All Tasks->Submit new request
- Select certificate request that was created, select certificate file name and process the certificate
- On VPN server select: All tasks -> import -> select the certificate file
- Import as "Personal"
- Install Routing and Remote Access on the VPN server
- Restrict VPN server to use IKEv2. Select only IKEv2 ports
- Right-click on the server Properties -> Security -> Authentication methods: EAP, MS-CHAP2
- Certificate binding. Select the certificate.
- Start RRAS
- On VPN firewall open UDP:500, 4500 and protocol 50 (ESP)
- On client computer create VPN connection
- Windows built-in provider
- Select connection name and VPN server address
- Select connection type IKEv2
- If client computer is not member of the domain, install Root CA cert in: local machine, "Root certificate authority store"
- Test the connection
PAGE TOP
tomasz