[strongSwan] Get working Win7 roadwarriors accross psk or ipsec-cert or ikev2-cert with Strongswan ! Is it possibe ?
Dr. Rolf Jansen
rj at obsigna.com
Sat Sep 27 22:53:58 CEST 2014
Am 27.09.2014 um 15:12 schrieb CpServiceSPb . <cpservicespb at gmail.com>:
> Can somebody give step by step instruction and/or working Ca, Server & Client certificate with testing data as working example that Win 7 could work accross psk/ikev1/ikev2 ?
I am running strongSwan 5.2.0 on a FreeBSD machine, and I also had difficulties to get a working setup with Windows 7 clients.
My findings.
Forget L2TP/IPsec with Windows 7. While Mac OS X and iOS clients are happily connecting to my server in any situation, i.e. IKEv1 with certificates or PSK, without NAT, with Single-NAT, with Double-NAT, Windows 7 works only without NAT, and that is pretty much useless, given that road warriors are needing connectivity from hotels, airports, LAN-Houses, mostly from behind any kind of NAT.
The only setup which works for me with the Windows 7 client behind NAT is IKEv2 with machine certificates. The server must listen on the public interface, though.
My ipsec.conf
conn IKEv2
keyexchange = ikev2
leftcert = ipsec-service-cert.pem
rightcert = ipsec-clients-cert.pem
left = %any
leftsubnet = 192.168.1.0/24
right = %any
rightdns = 192.168.1.1
rightsourceip = 192.168.1.176/28
auto = add
My ipsec.secrets:
: RSA ipsec-service-key.pem
For setting up the CA, and the certificates, I used the PKI tools that came together with strongSwan. Here comes the list of commands without comments -- use man if you are in doubt). Note, on FreeBSD, the $PREFIX is /usr/local, and I don't know where Ubuntu store everything, perhaps you need to correct some cert locations.
As user root do:
######## commands begin:
mkdir ~/ipsec-certs
cd ~/ipsec-certs
pki --gen --outform pem > ipsec-ca-key.pem
pki --self --outform pem --in ipsec-ca-key.pem --digest sha256 --ca --dn "C=DE, O=Example, CN=example.com CA" > ipsec-ca-cert.pem
pki --gen --outform pem > ipsec-service-key.pem
pki --pub --in ipsec-service-key.pem | \
pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem --cakey ipsec-ca-key.pem --flag serverAuth --flag ikeIntermediate --san example.com --dn "C=DE, O=Example, CN=example.com" > ipsec-service-cert.pem
pki --gen --outform pem > ipsec-clients-key.pem
pki --pub --in ipsec-clients-key.pem | \
pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem --cakey ipsec-ca-key.pem --san ipsec-clients.example.com --dn "C=DE, O=Example, CN=ipsec-clients.example.com" > ipsec-clients-cert.pem
cp ipsec-ca-cert.pem /usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem
cp ipsec-service-key.pem /usr/local/etc/ipsec.d/private/ipsec-service-key.pem
cp ipsec-clients-key.pem /usr/local/etc/ipsec.d/private/ipsec-clients-key.pem
cp ipsec-service-cert.pem /usr/local/etc/ipsec.d/certs/ipsec-service-cert.pem
cp ipsec-clients-cert.pem /usr/local/etc/ipsec.d/certs/ipsec-clients-cert.pem
openssl pkcs12 -export -out ipsec-clients.p12 -inkey ipsec-clients-key.pem -in ipsec-clients-cert.pem -certfile ipsec-ca-cert.pem
######## commands end.
IMPORTANT: The CN value of the ipsec-service-cert.pem MUST be the exact DNS resolvable domain of your IPsec server!!!
Copy the pkcs12 file ipsec-clients.p12 to the Windows 7 machine, and install it as shown on https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
On the stateful firewall of my server I opened UDP ports 500 and 4500, but this was not sufficient. A major obstacle was, that the windows client is sending packet fragments (without port numbers), and I have to let it go through the firewall too. On FreeBSD, I am using ipfw, and the relevant part is:
...
/sbin/ipfw -q add 5010 allow udp from any to me 500,4500 via $WAN in keep-state
/sbin/ipfw -q add 5011 allow udp from any to me via $WAN in frag
...
Best regards
Rolf
PS: About the L2TP/IPsec setup on a FreeBSD-Home-Server, using strongSwan together with mpd5, that works so very well for Mac OS X and iOS, I wrote a post on my BLog: http://blog.obsigna.net/?p=520. As said already, forget Windows in this respect.
More information about the Users
mailing list