IKEv2 VPN with EAP Authentication from Windows to Vigor Router using Let's Encrypt

This article demonstrates how to set up Vigor Router an IKEv2 VPN server by using the Let’s Encrypt certificate, and how to establish a connection from Windows OS.

DrayOS supports generating Let’s Encrypt certificate function since firmware version 3.9.0. As we know, the certificate which been signed up by Let's Encrypt is a valid certificate so using Let’s Encrypt certificate on Vigor Router can simplify the VPN configuration steps for different VPN clients, especially while IKEv2 with EAP authentication VPN connection is used. This article demonstrates how to set up Vigor Router an IKEv2 VPN server by using the Let’s Encrypt certificate, and how to establish a connection from Windows OS.

Vigor Router Setup

1. Select the correct Time Zone and ensure the router system time is correct.

a screenshot of DrayOS Time and Date Settings

2. Activate the DrayDDNS service on your Vigor Router referring to the article here.

3. Apply the Let's Encrypt certificate for your DrayDDNS domain name referring to the article here.

4. Go to VPN and Remote Access >> IPsec General Setup page, select DrayDDNS – the Domain which used for applying Let's Encrypt certificate as Certificate for Dial-in.

a screenshot of DrayOS IKE General Setup  

5. Go to VPN and Remote Access >> Remote Dial-in User page, click an available index. Edit the profile as follows:

  • Enable the account and enable IKEv2 EAP.
  • Give Username and Password,
  • Select Digital Signature(X.509).
  • then click OK.

a screenshot of DrayOS remote-dial-in user profile

Connecting from Windows 10

1. Go to Network and Internet Settings >> VPN, and click Add a VPN connection

  • Select Window (built-in) for VPN provider
  • Enter the domain of router for Server name or address
  • Select IKEv2 as VPN type
  • Enter User name and Password
  • Deselect remember my sign-in info
  • Click Save
  • a screenshot of Windows 10 Add VPN Connection

    2. Go to Network and Sharing Centre >> Change adapter settings.Select the VPN profile we just created, click the mouse on the right side and choose Properties. In the Security tab, select Require Encryption if Server declines for Data Encryption and click OK to save the changes.

    a screenshot of Windows 10 Network Properties

    3. Double click the VPN profile and click Connect to establish the VPN connection.

    a screenshot of Windows 10 connecting VPN

    4.Windows will pop-up the Authentication window. Enter the username and the passwordfor creating the VPN connection successfully.

    a screenshot of windows 10 signing in VPN

    5. Then we can see the VPN is connected successfully.

    a screenshot of windows 10 VPN connected

    Connecting from Smart VPN Client

    (IKEv2 EAP VPN is supported since version 5.1.0)

    1. Run Smart VPN client and Add a profile:

    • Give a Profile Name
    • Select IKEv2 EAPfor Type
    • Enter the Domain Name of the VPN Server
    • Enter User name and Password
    • Click OK
    • Smart VPN Client Add VPN Connection

      2. Switch on Connect and then we can check VPN status when it's connected.

      switch on vpn vpn is connected

Create IKEv2 EAP connection by using Let's Encrypt Certificate that can be imported by Vigor Router web user interface. (Linux)

1.Register a DDNS account for the router 

First, you should register a DDNS account for the router. You can refer to the article here.

2. Use Let's Encrypt Certificate for your DDNS Domain

Let's Encrypt makes the process of generating, signing and importing the certificate very easy. You can refer to the article here. This document will show how to apply a Let's encrypt for the router's domain.

3.Create User Profile with Xauth/EAP enabled

Now, your router has certificated signed by Let’s Encrypt.

  1. Go to User management>>User Profile, and click add.
  2. Enter the Username and password.
  3. Select Xauth / EAP enabled for PPTP/L2TP/SSL/OpenVPN server and click Apply to save changes.
  4. 4.Create VPN certificated by Let's encrypt

    Create a VPN profile with IKEv2 and IPsec remote dial-in enabled.

    1. Go to VPN and Remote Access>>VPN profile, and click add on IPsec.
    2. Enable the profile
      • IKE Protocol: IKEv2
      • Auth Type: RSA
      • Local certificate: Let’s Encrypt certificate
      • Click Apply.

    5.Connecting from Smart VPN Client

    Add a profile on Smart VPN

    • Select IKEv2 as VPN type
    • Enter the domain of router for Server name or address
    • Enter User name and Password 
    • Click ok

    Go to connection and switch on connect, we can check VPN status when it's connected.

Published On: Mar 26, 2019 

Was this helpful?     


Related Articles