IKEv2 VPN with EAP Authentication from Windows to Vigor Router using Let's Encrypt

This article demonstrates how to set up Vigor Router an IKEv2 VPN server by using the Let’s Encrypt certificate, and how to establish a connection from Windows OS.

DrayOS supports generating Let’s Encrypt certificate function since firmware version 3.9.0. As we know, the certificate which been signed up by Let's Encrypt is a valid certificate so using Let’s Encrypt certificate on Vigor Router can simplify the VPN configuration steps for different VPN clients, especially while IKEv2 with EAP authentication VPN connection is used. This article demonstrates how to set up Vigor Router an IKEv2 VPN server by using the Let’s Encrypt certificate, and how to establish a connection from Windows OS.

Vigor Router Setup

1. Select the correct Time Zone and ensure the router system time is correct.

a screenshot of DrayOS Time and Date Settings

2. Activate the DrayDDNS service on your Vigor Router referring to the article here.

3. Apply the Let's Encrypt certificate for your DrayDDNS domain name referring to the article here.

4. Go to VPN and Remote Access >> IPsec General Setup page, select DrayDDNS – the Domain which used for applying Let's Encrypt certificate as Certificate for Dial-in.

a screenshot of DrayOS IKE General Setup

5. Go to VPN and Remote Access >> Remote Dial-in User page, click an available index. Edit the profile as follows:

Enable the account and enable IKEv2 EAP.
Give Username and Password,
then click OK.

Connecting from Smart VPN Client

(IKEv2 EAP VPN is supported since version 5.1.0)

1. Run Smart VPN client and Add a profile:

Give a Profile Name
Select IKEv2 EAP for Type
Enter the Domain Name of the VPN Server
Enter User name and Password
Click OK

If the client uses smartVPN 5.5.0 version, we suggest that to enable Ping to keep alive

2. Switch on Connect and then we can check VPN status when it's connected.

Connecting from Windows 10

1. Go to Network and Internet Settings >> VPN, and click Add a VPN connection

Select Window (built-in) for VPN provider
Enter the domain of router for Server name or address
Select IKEv2 as VPN type
Enter User name and Password
Deselect remember my sign-in info
Click Save

2. Go to Network and Sharing Centre >> Change adapter settings.Select the VPN profile we just created, click the mouse on the right side and choose Properties. In the Security tab, select Require Encryption if Server declines for Data Encryption and click OK to save the changes.

a screenshot of Windows 10 Network Properties

3. Double click the VPN profile and click Connect to establish the VPN connection.

a screenshot of Windows 10 connecting VPN

4.Windows will pop-up the Authentication window. Enter the username and the passwordfor creating the VPN connection successfully.

a screenshot of windows 10 signing in VPN

5. Then we can see the VPN is connected successfully.

a screenshot of windows 10 VPN connected

Note :

Windows 10 and 11's native IKEv2 VPN try connection the VPN via IPv6 by preference. Please untick the IPv6 option in the DynamicDNS profile to prevent the connection issue since Vigor Router does not support IPv6 for IPsec VPN.

Note2 :

If IPsec Security Method is Medium or above, please add a registry to connect IKEv2 EAP.

WIN+R to open regedit, and create a DWORD registry "NegotiateDH2048_AES256" in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rasman\Parameters\", and set data to 2

Create IKEv2 EAP connection by using Let's Encrypt Certificate that can be imported by Vigor Router web user interface. (Linux)

1.Register a DDNS account for the router

First, you should register a DDNS account for the router. You can refer to the article here.

2. Use Let's Encrypt Certificate for your DDNS Domain

Let's Encrypt makes the process of generating, signing and importing the certificate very easy. You can refer to the article here. This document will show how to apply a Let's encrypt for the router's domain.