[Vigor3900] How to establish IKEv2 EAP from macOS/iOS/Windows?
Modified from the previous version IKEv1, IKEv2 is a new VPN protocol and has improved a lot than the former. It is more stable, more secure and faster connection establishing speed. Support newer and more complicated secure ciphers to make the connection more secure. Using new connection progress and discard the PPP, IKEv2 provides the faster establishing speed.
Vigor3900 supports IKEv2 with EAP authentication since firmware version 1.4.0. VPN connection security is enhanced by username/password authentication and certificate verification. This article is going to demonstrate IKEv2 with EAP connection between Vigor3900 and macOS/iOS/Windows native VPN client.
Set up Vigor3900
- Go to Certificate Management >> Trusted CA page, and click Build RootCA
- Enter CA information and select 2048 as Key Size
- Enter Passphrase to sign local certificate and click Apply
4. Click Download to export the Root CA to import to VPN client
5. Go to Certificate Management >> Local Certificate page, and click Generate
6. Select Domain Name in as ID Type and enter domain of router as ID Value
7. Enter certificate information and enter domain of router as Common Name (CN)
8. Select 2048 as Key Size and Enable Self Sign
9. Enter Root CA Key Passphrase and Click Apply
10. Go to User Management >> User Profile page, and click Add
11. Enable the profile and enter Username and Password
12. Enable Xauth/EAP
13. Go to VPN and Remote Access >> VPN Profiles >> Ipsec tab, and click Add
14. Give a Profile name and enable the profile
15. Enable For Remote Dial-In User
16. Enter router LAN network in Local IP / Subnet Mask
17. Select IKEv2 as IKE Protocol
18. Select RSA as Auth Type and the certificate created in previous steps as Local Certificate
Connecting from macOS
Import RootCA of router created in the previous steps to macOS device by following steps,
- Open Keychain Access, drag the certificate file to the Keychain Access windows to import it
- Select Always Trust as Extensible Authentication (EAP) and IP Security (IPsec)
Go to Network setting and click ' + '
Select VPN as Interface
Select IKEv2 as VPN Type
Enter the domain of router as Server Address and Remote ID
Click Authenticateion Settings...
Select Username and enter Username and Password
Click Connect, and check VPN status after successful connection
Conneting from iOS
Import RootCA of router created in the previous steps to iOS device by following steps,
- Tab the RootCA file
- Tab Install
- Make sure the RootCA has been verified then tab Done
Go to General >> VPN page, and tab Add Configuration
Select IKEv2 as Type
Enter domain of router as Server and Remote ID
Enter Username and Password
Switch on the VPN
Then we can check the VPN status after successful connection
Conneting from Windows
Import router's RootCA by following steps
- Double click the certificate file
- Click Install Certificate...
- Follow the steps to finish the certificate installation
Go to Network and Internet Settings >> VPN, and click Add a VPN connection
Select Window (build-in) in as VPN provider
Enter the domain of router as Server name or address
Select IKEv2 in as VPN type
Enter User name and Password
Click Connect to establish the VPN connection
Then we can check the VPN status after successful connection.