The NULL Authentication Method in IKEv2


By enabling the IKEv2 NULL Authentication Method, two IPsec/IKEv2 peers can establish single-side authenticated (by Pre-Shared-Key(PSK), RSA-Sig(X.509 Certificate) or EAP) or mutual unauthenticated IKEv2 sessions. RFC7619 illustrates some use cases for unauthenticated or anonymous VPN connections.

Even though an unauthenticated IKEv2 session is established, an initiator peer may still present its own ID (without a signature value) and/or a responder peer's ID. In case of Rockhopper, the responder peer uses the received ID values to map the initiator peer's connection to an appropriate VPN realm as usual.

See also examples for single-side authenticated VPN and mutual unauthenticated VPN.


[CAUTION]

RFC7619 says "3.3. IKE Configuration Selection: Combining authenticated and unauthenticated IKE peers on a single host can be dangerous, assuming the authenticated IKE peer gains more or different access from unauthenticated peers (otherwise, why not only allow unauthenticated peers)."



- Configure My Key Store for unauthenticated VPN.


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


    [Version: 0.2.b1-021 or later]
    - If this node is configured as Remote Client, check Advanced Settings.

  3. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: No Authentication
    My ID Type: Null ID


    If multiple VPN realms are configured for a responder/gateway/concentrator peer, you may need to specify an ID for this node. Enter like this:

    My ID Type: Host Name(FQDN)
    My ID: gateway1.example.com (for Multi-hosting) or remotehost1.example.com (for Role-based configuration)

  4. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



- Allow an unauthenticated remote peer.


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


    [Version: 0.2.b1-021 or later]
    - If this node is configured as Remote Client, check Advanced Settings.

  3. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Service[Left-Tree]: Click this tree node and show Service pane.

    - Authentication Method for Remote Peers: Select No Authentication.

  4. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



- [An initiator/client] Configure an unauthenticated remote peer (a responder/gateway/concentrator).


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


    [Version: 0.2.b1-021 or later]
    - If this node is configured as Remote Client, check Advanced Settings.

  3. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Remote Peers[Left-Tree]: Click this tree node and show Remote Peers pane.

    - Click Add Peer button.

    - Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: Null ID
    Connection Name: ExampleVPN (Any name you want.)


    If this destination peer hosts multiple VPN realms, you may need to specify a remote peer's ID. Enter like this:

    Peer ID Type: Host Name(FQDN)
    Peer ID: gateway1.example.com

  4. Setup the Remote Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Remote Peers[Left-Tree] > ExampleVPN(Null ID)[Left-Tree]:
    Click this tree node and show Remote Peer: ExampleVPN(Null ID) pane.

    - Enter the following.

    Peer's IP Address: IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1
    or
    Peer's IP Address: Host Name(FQDN) and gateway1.example.com

  5. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.




- Example(1): Single-side authenticated VPN (1)


sample0

- VPN Gateway (gateway1.example.com)


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


  3. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Service[Left-Tree]: Click this tree node and show Service pane.

    - Authentication Method for Remote Peers: Select No Authentication.

  4. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): gateway1.example.com.p12
    RSA Private Key's Password: himitsu


  5. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



- Remote Host


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


    [Version: 0.2.b1-021 or later]
    - If this node is configured as Remote Client, check Advanced Settings.


  3. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Service[Left-Tree]: Click this tree node and show Service pane.

    - Authentication Method for Remote Peers: Select RSA-Sig (RSA Signature).

  4. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: No Authentication
    My ID Type: Null ID

  5. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Remote Peers[Left-Tree]: Click this tree node and show Remote Peers pane.

    - Click Add Peer button.

    - Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: Null ID
    Connection Name: ExampleVPN (Any name you want.)

  6. Setup the Remote Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Remote Peers[Left-Tree] > ExampleVPN(Null ID)[Left-Tree]:
    Click this tree node and show Remote Peer: ExampleVPN(Null ID) pane.

    - Enter the following.

    Peer's IP Address: IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1
    or
    Peer's IP Address: Host Name(FQDN) and gateway1.example.com

  7. Setup CA Certificate/CRL.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name(Remote Client)[Left-Tree]
    > CA Certificate/CRL[Left-Tree]:
    Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

    - Enter the following.

    Imported Certificate/CRL Format: PEM(Base64-encoding) - File
    CA Certificates(X.509, *.pem): TestCA-cacert.pem


  8. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



- Remote Host configured as Remote Client (Version: 0.2.b1-021 or later)


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


    - Uncheck Advanced Settings.


  3. Setup Destination.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.

    - Enter the following.

    Destination Address: IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1
    or
    Destination Address: Host Name(FQDN) and gateway1.example.com


  4. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name(Remote Client)[Left-Tree] > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: No Authentication
    My ID Type: Null ID


  5. Setup CA Certificate/CRL.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name(Remote Client)[Left-Tree]
    > CA Certificate/CRL[Left-Tree]:
    Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

    - Enter the following.

    Imported Certificate/CRL Format: PEM(Base64-encoding) - File
    CA Certificates(X.509, *.pem): TestCA-cacert.pem


  6. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.




- Example(2): Single-side authenticated VPN (2)


sample0

- VPN Gateway (gateway1.example.com)


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


  3. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Service[Left-Tree]: Click this tree node and show Service pane.

    - Authentication Method for Remote Peers: Select PSK (Pre-Shared Key).

  4. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: No Authentication
    My ID Type: Null ID

  5. Setup Peers' Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree] > Peers' Key Store[Left-Tree]:
    Click this tree node and show Peers Key Store pane.

    - Click Add Peer's Pre-Shared Key(PSK) button.

    - Add a New Peer's Pre-Shared Key(PSK)[Dialog]:
    Enter the following, then click OK button.

    Peer ID Type: IKEv2-PSK: E-Mail Address
    Peer ID: remotehost@example.com
    Pre-Shared Key(PSK): 1234567890

    If you want to share the password for all remote clients, enter like this:
    Peer ID Type: IKEv2-PSK: Any
    Pre-Shared Key(PSK): 1234567890


  6. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



- Remote Host


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


    [Version: 0.2.b1-021 or later]
    - If this node is configured as Remote Client, check Advanced Settings.


  3. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Service[Left-Tree]: Click this tree node and show Service pane.

    - Authentication Method for Remote Peers: Select No Authentication.

  4. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: Pre-Shared Key(PSK)
    My ID Type: E-Mail Address
    My ID: remotehost@example.com
    Pre-Shared Key(PSK): 1234567890

  5. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Remote Peers[Left-Tree]: Click this tree node and show Remote Peers pane.

    - Click Add Peer button.

    - Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: Null ID
    Connection Name: ExampleVPN (Any name you want.)

  6. Setup the Remote Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Remote Peers[Left-Tree] > ExampleVPN(Null ID)[Left-Tree]:
    Click this tree node and show Remote Peer: ExampleVPN(Null ID) pane.

    - Enter the following.

    Peer's IP Address: IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1
    or
    Peer's IP Address: Host Name(FQDN) and gateway1.example.com

  7. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



- Remote Host configured as Remote Client (Version: 0.2.b1-021 or later)


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


    - Uncheck Advanced Settings.


  3. Setup Destination.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.

    - Enter the following.

    Destination Address: IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1
    or
    Destination Address: Host Name(FQDN) and gateway1.example.com


    - Check No Authentication for this destination (remote peer).


  4. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: Pre-Shared Key(PSK)
    My ID Type: E-Mail Address
    My ID: remotehost@example.com
    Pre-Shared Key(PSK): 1234567890

  5. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.




- Example(3): Mutual unauthenticated VPN


sample0

- VPN Gateway (gateway1.example.com)


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


  3. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Service[Left-Tree]: Click this tree node and show Service pane.

    - Authentication Method for Remote Peers: Select No Authentication.

  4. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: No Authentication
    My ID Type: Null ID

  5. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.


- Remote Host


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


    [Version: 0.2.b1-021 or later]
    - If this node is configured as Remote Client, check Advanced Settings.


  3. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Service[Left-Tree]: Click this tree node and show Service pane.

    - Authentication Method for Remote Peers: Select No Authentication.

  4. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: No Authentication
    My ID Type: Null ID

  5. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Remote Peers[Left-Tree]: Click this tree node and show Remote Peers pane.

    - Click Add Peer button.

    - Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: Null ID
    Connection Name: ExampleVPN (Any name you want.)

  6. Setup the Remote Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
    > Remote Peers[Left-Tree] > ExampleVPN(Null ID)[Left-Tree]:
    Click this tree node and show Remote Peer: ExampleVPN(Null ID) pane.

    - Enter the following.

    Peer's IP Address: IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1
    or
    Peer's IP Address: Host Name(FQDN) and gateway1.example.com

  7. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



- Remote Host configured as Remote Client (Version: 0.2.b1-021 or later)


  1. Open Rockhopper Web Console and login.

  2. Load a VPN realm's configuration.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree]


    - Uncheck Advanced Settings.


  3. Setup Destination.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.

    - Enter the following.

    Destination Address: IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1
    or
    Destination Address: Host Name(FQDN) and gateway1.example.com

    - Check No Authentication for this destination (remote peer).


  4. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name(Remote Client)[Left-Tree] > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: No Authentication
    My ID Type: Null ID


  5. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.






- A configuration example





- RFC


Back to Top