IKEv2 VPN with EAP Authentication from Windows to Vigor Router using Let's Encrypt

This article demonstrates how to set up Vigor Router an IKEv2 VPN server by using the Let’s Encrypt certificate, and how to establish a connection from Windows OS.

DrayOS supports generating Let’s Encrypt certificate function since firmware version 3.9.0. As we know, the certificate which been signed up by Let's Encrypt is a valid certificate so using Let’s Encrypt certificate on Vigor Router can simplify the VPN configuration steps for different VPN clients, especially while IKEv2 with EAP authentication VPN connection is used. This article demonstrates how to set up Vigor Router an IKEv2 VPN server by using the Let’s Encrypt certificate, and how to establish a connection from Windows OS.

Vigor Router Setup

1. Select the correct Time Zone and ensure the router system time is correct.

a screenshot of DrayOS Time and Date Settings

2. Activate the DrayDDNS service on your Vigor Router referring to the article here.

3. Apply the Let's Encrypt certificate for your DrayDDNS domain name referring to the article here.

4. Go to VPN and Remote Access >> IPsec General Setup page, select DrayDDNS – the Domain which used for applying Let's Encrypt certificate as Certificate for Dial-in.

a screenshot of DrayOS IKE General Setup  

5. Go to VPN and Remote Access >> Remote Dial-in User page, click an available index. Edit the profile as follows:

  • Enable the account and enable IKEv2 EAP.
  • Give Username and Password,
  • then click OK.

Connecting from Smart VPN Client

(IKEv2 EAP VPN is supported since version 5.1.0)

1. Run Smart VPN client and Add a profile:

  • Give a Profile Name
  • Select IKEv2 EAP for Type
  • Enter the Domain Name of the VPN Server
  • Enter User name and Password
  • Click OK
Smart VPN Client Add VPN Connection

If the client uses smartVPN 5.5.0 version, we suggest that to enable Ping to keep alive

2. Switch on Connect and then we can check VPN status when it's connected.

switch on vpn vpn is connected

Connecting from Windows 10

1. Go to Network and Internet Settings >> VPN, and click Add a VPN connection

  • Select Window (built-in) for VPN provider
  • Enter the domain of router for Server name or address
  • Select IKEv2 as VPN type
  • Enter User name and Password
  • Deselect remember my sign-in info
  • Click Save
a screenshot of Windows 10 Add VPN Connection

2. Go to Network and Sharing Centre >> Change adapter settings.Select the VPN profile we just created, click the mouse on the right side and choose Properties. In the Security tab, select Require Encryption if Server declines for Data Encryption and click OK to save the changes.

a screenshot of Windows 10 Network Properties

3. Double click the VPN profile and click Connect to establish the VPN connection.

a screenshot of Windows 10 connecting VPN

4.Windows will pop-up the Authentication window. Enter the username and the passwordfor creating the VPN connection successfully.

a screenshot of windows 10 signing in VPN

5. Then we can see the VPN is connected successfully.

a screenshot of windows 10 VPN connected

Note :

Windows 10 and 11's native IKEv2 VPN try connection the VPN via IPv6 by preference. Please untick the IPv6 option in the DynamicDNS profile to prevent the connection issue since Vigor Router does not support IPv6 for IPsec VPN.

Note2 :

If IPsec Security Method is Medium or above, please add a registry to connect IKEv2 EAP.

WIN+R to open regedit, and create a DWORD registry "NegotiateDH2048_AES256" in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rasman\Parameters\", and set data to 2

IKEv2 EAP VPN from Windows to Vigor2136
Vigor Router Setup

1. Apply for a Let’s Encrypt Certificate.

IKEv2 EAP VPN uses the VPN server’s certificate for authentication. Registering a Let's Encrypt certificate for the VPN server’s domain helps streamline the VPN setup. For detailed steps, please refer to Apply for a Let's Encrypt certificate for your DDNS domain

2. Activate the IPsec VPN service.

Go to VPN > General Setup,

  • Switch on the Enabled tab.
  • Select the Certificate generated for the VPN service.
  • Listen on Interface: Configuration for accept VPN connections on All Interfaces or a Specified Interface. Click Add to select the WAN interface when using the specified interface.
  • VPN Access List: Configure VPN Access Control Mode, including All Connections, Allow List or Block List; Set up the Maximum VPN Login Failures(Times) and the Penalty Block Period(Seconds).
  • 3. Create a Teleworker VPN User Profile.

    Go to VPN > Teleworker VPN, click Add, and enter the Username and Password.

    In General Tab,

  • Status: Set to Active to enable the profile.
  • Group Policy: Select None if no specific group policy applies.
  • Expiration Time: Set the expiration time for the Telework VPN profile. Options include Never, after XX hours, or at a specified date and time.
  • In the Teleworker VPN tab,

  • Switch On Enable Teleworker VPN
  • Enter 0 (Seconds) for the Idle Timeout
  • Select the VPN Schedule
  • Under Allowed VPN Protocols, enable IPsec and check EAP.
  • In Local IP Assignment, choose a LAN subnet for Assign IP from the LAN DHCP or configure a static IP for Static IP.
  • Click Apply to save the settings.
  • Create IKEv2 EAP connection by using Let's Encrypt Certificate that can be imported by Vigor Router web user interface. (Linux)

    1.Register a DDNS account for the router 

    First, you should register a DDNS account for the router. You can refer to the article here.

    2. Use Let's Encrypt Certificate for your DDNS Domain

    Let's Encrypt makes the process of generating, signing and importing the certificate very easy. You can refer to the article here. This document will show how to apply a Let's encrypt for the router's domain.

    3.Create User Profile with Xauth/EAP enabled

    Now, your router has certificated signed by Let’s Encrypt.

    1. Go to User management>>User Profile, and click add.
    2. Enter the Username and password.
    3. Select Xauth / EAP enabled for PPTP/L2TP/SSL/OpenVPN server and click Apply to save changes.
    4. 4.Create VPN certificated by Let's encrypt

      Create a VPN profile with IKEv2 and IPsec remote dial-in enabled.

      1. Go to VPN and Remote Access>>VPN profile, and click add on IPsec.
      2. Enable the profile
        • IKE Protocol: IKEv2
        • Auth Type: RSA
        • Local certificate: Let’s Encrypt certificate
        • Click Apply.

      5.Connecting from Smart VPN Client

      Add a profile on Smart VPN

      • Select IKEv2 as VPN type
      • Enter the domain of router for Server name or address
      • Enter User name and Password 
      • Click ok

      Go to connection and switch on connect, we can check VPN status when it's connected.

    Published On: 2019-03-26 

    Was this helpful?