Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8

David LePage - Enterprise Solutions Architect, Firewalls

Overview:

Microsoft Windows version 7 introduced a new VPN client (Agile Client) that supports IKEv2 for authentication. McAfee Firewall Enterprise supports client based VPNs that use either IKEv1 or IKEv2 and is successful using the Windows 7 client to connect to a remote firewall. This document will outline the steps necessary to configure a Windows 7 VPN client to connect to McAfee Firewall Enterprise version 8 using machine certificate authentication.

Preparing the Machine Authentication Certificates: This example will leverage Microsoft Certificate Service as an Enterprise CA running on a Windows 2008 Server for certificate generation and deployment. There are three primary steps:

1- Download and install the CA Certificate in the host machines Local Computer “Trusted Root Certificates” store 2- Create a custom certificate request (CSR) and submit it to the Enterprise CA authority 3- Download the certificate returned by the CA authority in DER format 4- Install the certificate file into the Local Computer “Personal” certificate store

To launch the Windows Certificate Manager, go to Start->Run->mmc In the File menu, select Add/Remove Snap-in. Choose the “Certificates” snap-in Select “Computer Account” – The certificates will need to be in the computer certificate store or they will not be available to the VPN client.

Import the CA Certificate from the Enterprise CA (typically by browsing to https://certserver/certsrv). Import into the Trusted Root Certification Authority store by right clicking the Certificates folder-> All Tasks -> Import

Next, create a CSR request to submit to the Enterprise CA. Right click on the “Personal” Certificate store, select All Tasks -> Advanced Operations -> Create Custom Request You will be prompted through a certificate wizard:

Proceed:

Defaults are OK:

Expand “Details” and click the “Properties” button:

Assign an identifying name:

On the Subject tab, enter a value for Common name and an Alternative Name:

On the Extensions tab, expand Key Usage -> Extended Key Usage. Select “Server Authentication” and “Client Authentication” and “IP Security IKE intermediate”. (See http://technet.microsoft.com/en-us/library/dd941612%28WS.10%29.aspx for more details)

Under Private Key, expand Key Options and check “Make private key exportable”:

Hit Apply and Ok, and finish the wizard by specifying the file name for this certificate request:

Submit the CSR to your favorite Enterprise CA, in this case the local Microsoft CA to retrieve the signed certificate. Import the signed certificate into the Computer accounts “Personal” Certificate store. Double click on the certificate to make sure it can find the Trusted Root Certificate that signed the request:

Switch to the MFE Administration Console. Import this same certificate into the Firewall. Log into the MFE Admin Console and navigate to Maintenance->Certificate Key/Management. Select “Import” and browse to the certificate just retrieved from the CA under “Remote Certificates”:

This should match up with the one you imported into your local Windows machine:

We need to set up a local firewall certificate that will identify the FW VPN gateway to the client. Click the “Firewall Certificates” tab and select “New”:

Specify the FQDN of the MFE VPN gateway. Under “Submit to CA”, select Manual PKCS10. Specify the output file name, and change the Format to PKCS10 (PEM):

Submit this certificate request to the Enterprise CA to have it signed and a certificate returned. Go back to the Certificate/Key Management ->Firewall Certificates and click “Load” to attach the signed certificate to this certificate profile.

This concludes the certificate requirements.

Configure the Firewall VPN Policy:

Set up a VPN Client address pool under Network->VPN Configuration->Client Address Pools Virtual Subnet List is the IP range you will distribute to VPN clients. Local Subnet List is the IP networks this VPN will have access to. Set the DNS server hosts on the “Servers” tab:

Configure the VPN Definition under Network->VPN Configuration->VPN Definitions:

Local Authentication tab – select Single Certificate and the certificate we imported into “Remote Certificates”:

Remote Authentication tab – select the certificate we created under “Firewall Certificates”:

Crypto tab is default. Advanced tab – make sure you check “Enable NAT-T Traversal”:

Create the ISAKMP Firewall Rule: One simple rule is required on the zone where the VPN connections will initiate:

Configure the Windows 7 VPN Client: Go to Control Panel -> Network and select “Set up a connection or network”, and connect to a workplace (or VPN):

Specify the FQDN or IP of the MFE v8 VPN gateway:

Leave the user credentials blank (they will be ignored when using machine certificate authentication:

Edit the properties of the new adapter, leave the hostname or IP address:

The options tab can be left default. On the security tab, select IKEv2, and “use machine certificates”:

Save.

Disable certificate field checking on the client: Windows will attempt to validate certain fields of the remote certificate. To disable this checking, you will need to add a new DWORD key under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters. Add a DWORD called “DisableIKENameEkuCheck” with a value of 1:

Attempt to connect: