[strongSwan] Get working Win7 roadwarriors accross psk or ipsec-cert or ikev2-cert with Strongswan ! Is it possibe ?

Dr. Rolf Jansen rj at obsigna.com
Sat Sep 27 22:53:58 CEST 2014

Am 27.09.2014 um 15:12 schrieb CpServiceSPb . <cpservicespb at gmail.com>:

> Can somebody give step by step instruction and/or working Ca, Server & Client certificate with testing data as working example that Win 7 could work accross psk/ikev1/ikev2 ? 

I am running strongSwan 5.2.0 on a FreeBSD machine, and I also had difficulties to get a working setup with Windows 7 clients.

My findings.

Forget L2TP/IPsec with Windows 7. While Mac OS X and iOS clients are happily connecting to my server in any situation, i.e. IKEv1 with certificates or PSK, without NAT, with Single-NAT, with Double-NAT, Windows 7 works only without NAT, and that is pretty much useless, given that road warriors are needing connectivity from hotels, airports, LAN-Houses, mostly from behind any kind of NAT.

The only setup which works for me with the Windows 7 client behind NAT is IKEv2 with machine certificates. The server must listen on the public interface, though.

My ipsec.conf

conn IKEv2
   keyexchange = ikev2
   leftcert = ipsec-service-cert.pem
   rightcert = ipsec-clients-cert.pem
   left = %any     
   leftsubnet =
   right = %any
   rightdns =
   rightsourceip =
   auto = add

My ipsec.secrets:

: RSA ipsec-service-key.pem

For setting up the CA, and the certificates, I used the PKI tools that came together with strongSwan. Here comes the list of commands without comments -- use man if you are in doubt). Note, on FreeBSD, the $PREFIX is /usr/local, and I don't know where Ubuntu store everything, perhaps you need to correct some cert locations.

As user root do:
######## commands begin:
mkdir ~/ipsec-certs
cd  ~/ipsec-certs
pki --gen --outform pem > ipsec-ca-key.pem
pki --self --outform pem --in ipsec-ca-key.pem --digest sha256 --ca --dn "C=DE, O=Example, CN=example.com CA" > ipsec-ca-cert.pem

pki --gen --outform pem > ipsec-service-key.pem
pki --pub --in ipsec-service-key.pem | \
pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem --cakey ipsec-ca-key.pem --flag serverAuth --flag ikeIntermediate --san example.com --dn "C=DE, O=Example, CN=example.com" > ipsec-service-cert.pem

pki --gen --outform pem > ipsec-clients-key.pem
pki --pub --in ipsec-clients-key.pem | \
pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem --cakey ipsec-ca-key.pem --san ipsec-clients.example.com --dn "C=DE, O=Example, CN=ipsec-clients.example.com" > ipsec-clients-cert.pem

cp ipsec-ca-cert.pem /usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem
cp ipsec-service-key.pem /usr/local/etc/ipsec.d/private/ipsec-service-key.pem
cp ipsec-clients-key.pem /usr/local/etc/ipsec.d/private/ipsec-clients-key.pem
cp ipsec-service-cert.pem /usr/local/etc/ipsec.d/certs/ipsec-service-cert.pem
cp ipsec-clients-cert.pem /usr/local/etc/ipsec.d/certs/ipsec-clients-cert.pem

openssl pkcs12 -export -out ipsec-clients.p12 -inkey ipsec-clients-key.pem -in ipsec-clients-cert.pem -certfile ipsec-ca-cert.pem
######## commands end.

IMPORTANT: The CN value of the ipsec-service-cert.pem MUST be the exact DNS resolvable domain of your IPsec server!!!

Copy the  pkcs12 file ipsec-clients.p12 to the Windows 7 machine, and install it as shown on https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

On the stateful firewall of my server I opened UDP ports 500 and 4500, but this was not sufficient. A major obstacle was, that the windows client is sending packet fragments (without port numbers), and I have to let it go through the firewall too. On FreeBSD, I am using ipfw, and the relevant part is:

/sbin/ipfw -q add 5010 allow udp from any to me 500,4500 via $WAN in keep-state
/sbin/ipfw -q add 5011 allow udp from any to me via $WAN in frag

Best regards


PS: About the L2TP/IPsec setup on a FreeBSD-Home-Server, using strongSwan together with mpd5, that works so very well for Mac OS X and iOS, I wrote a post on my BLog: http://blog.obsigna.net/?p=520. As said already, forget Windows in this respect.

More information about the Users mailing list