Set up Mobile IPsec for IKEv2+EAP-TLS

With the certificate structure prepared, the next task is to configure the necessary IPsec settings. The settings below have been tested and found to work, but other similar settings may function as well. Feel free to try other encryption algorithms, hashes, etc. Report any additional combinations found to work or not work on the forum.

Mobile Clients

  • Navigate to VPN > IPsec, Mobile Clients tab in the AZTCO-FW webGUI
  • Check Enable IPsec Mobile Client Support
  • Set User Authentication to Local Database
  • Check Provide a virtual IP address to clients
  • Enter an unused private Network and appropriate subnet mask (such as /24)
  • Check Provide a list of accessible networks to clients
  • Click Save

Phase 1

  • Click the Tunnels Tab
  • Click the Create Phase1 button at the top if it appears, or edit the existing Mobile IPsec Phase 1
  • Set Key Exchange version to v2
  • Set Authentication method to EAP-TLS
  • Set My Identifier to Distinguished name and enter in the hostname of the firewall

Note: This MUST match the Common Name of the server certificate!

  • Set Peer Identifier to User Distinguished name, enter an e-mail address style identifier (e.g.[email protected]) – This isn’t used, but is currently required by the GUI
  • Select the server certificate created previously for My Certificate
  • Select the appropriate CA for My Certificate Authority
  • Set Encryption algorithm to AES 256
  • Set Hash algorithm to SHA256Set DH key group to 2 (1024 bit)Set Lifetime to 28800
  • Uncheck Disable Rekey
  • Uncheck Disable Reauth
  • Set NAT Traversal to Auto
  • Check Enable DPD,
  • set for 10 seconds and 5 retries
  • Click Save

Phase 2

  • Click   to show the Mobile IPsec Phase 2 list
  • Click  to add a new Phase 2 entry if one does not exist, or click  to edit an existing entry
  • Set Mode to Tunnel IPv4
  • Set Local Network as desired
  • To pass all traffic, including Internet traffic, across the VPN, set the Local Network to 0.0.0.0/0
  • Enter an appropriate Description
  • Set Protocol to ESP
  • Set Encryption algorithms to ONLY AES 256
  • Set Hash algorithms to ONLY SHA1
  • Set PFS Key Group to off
  • Set Lifetime to 3600
  • Click Save
© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.