[strongSwan] Get working Win7 roadwarriors accross psk or ipsec-cert or ikev2-cert with Strongswan ! Is it possibe ?

CpServiceSPb . cpservicespb at gmail.com
Sat Sep 27 23:08:18 CEST 2014


My Strongswan copy is not behind NAT.
By the way I have been able to set up succerssfully one copy of Win 7 for
l2tp/psk from behind NAT.
But for other Win 7 copy (I specially tested behind different NATs, without
NAT also) .

Even asI wrote I tested without NAT (client->bluetooth->Sony
Z1->3G/4G->Internet->StrongSwan at Ubuntu) and ^#^%^% nothing changes.
When I tried to use Android connection (from this Sony Z1) , I was
successful as accross psk as certificate (ikev1) .

So, as for Win XP, there weren' t roubles as I remember.

I issued certificate by easy-rsa soft at Easy-rsa github
<https://github.com/OpenVPN/easy-rsa> or at Easy-rsa desc
<http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html>
.
I added subjectAltName as external IP as internal FQDN as to server as to
client certificate.
Also I added extendedKeyUsage=1.3.6.1.5.5.8.2.2, serverAuth to server
certificate.

But just now I am testing ikev2 and getting 13801 error (for machine
certificate) .


2014-09-28 0:53 GMT+04:00 Dr. Rolf Jansen <rj at obsigna.com>:

> Am 27.09.2014 um 15:12 schrieb CpServiceSPb . <cpservicespb at gmail.com>:
>
> > Can somebody give step by step instruction and/or working Ca, Server &
> Client certificate with testing data as working example that Win 7 could
> work accross psk/ikev1/ikev2 ?
>
> I am running strongSwan 5.2.0 on a FreeBSD machine, and I also had
> difficulties to get a working setup with Windows 7 clients.
>
> My findings.
>
> Forget L2TP/IPsec with Windows 7. While Mac OS X and iOS clients are
> happily connecting to my server in any situation, i.e. IKEv1 with
> certificates or PSK, without NAT, with Single-NAT, with Double-NAT, Windows
> 7 works only without NAT, and that is pretty much useless, given that road
> warriors are needing connectivity from hotels, airports, LAN-Houses, mostly
> from behind any kind of NAT.
>
> The only setup which works for me with the Windows 7 client behind NAT is
> IKEv2 with machine certificates. The server must listen on the public
> interface, though.
>
> My ipsec.conf
>
> conn IKEv2
>    keyexchange = ikev2
>    leftcert = ipsec-service-cert.pem
>    rightcert = ipsec-clients-cert.pem
>    left = %any
>    leftsubnet = 192.168.1.0/24
>    right = %any
>    rightdns = 192.168.1.1
>    rightsourceip = 192.168.1.176/28
>    auto = add
>
> My ipsec.secrets:
>
> : RSA ipsec-service-key.pem
>
>
> For setting up the CA, and the certificates, I used the PKI tools that
> came together with strongSwan. Here comes the list of commands without
> comments -- use man if you are in doubt). Note, on FreeBSD, the $PREFIX is
> /usr/local, and I don't know where Ubuntu store everything, perhaps you
> need to correct some cert locations.
>
> As user root do:
> ######## commands begin:
> mkdir ~/ipsec-certs
> cd  ~/ipsec-certs
> pki --gen --outform pem > ipsec-ca-key.pem
> pki --self --outform pem --in ipsec-ca-key.pem --digest sha256 --ca --dn
> "C=DE, O=Example, CN=example.com CA" > ipsec-ca-cert.pem
>
> pki --gen --outform pem > ipsec-service-key.pem
> pki --pub --in ipsec-service-key.pem | \
> pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem
> --cakey ipsec-ca-key.pem --flag serverAuth --flag ikeIntermediate --san
> example.com --dn "C=DE, O=Example, CN=example.com" >
> ipsec-service-cert.pem
>
> pki --gen --outform pem > ipsec-clients-key.pem
> pki --pub --in ipsec-clients-key.pem | \
> pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem
> --cakey ipsec-ca-key.pem --san ipsec-clients.example.com --dn "C=DE,
> O=Example, CN=ipsec-clients.example.com" > ipsec-clients-cert.pem
>
> cp ipsec-ca-cert.pem /usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem
> cp ipsec-service-key.pem
> /usr/local/etc/ipsec.d/private/ipsec-service-key.pem
> cp ipsec-clients-key.pem
> /usr/local/etc/ipsec.d/private/ipsec-clients-key.pem
> cp ipsec-service-cert.pem
> /usr/local/etc/ipsec.d/certs/ipsec-service-cert.pem
> cp ipsec-clients-cert.pem
> /usr/local/etc/ipsec.d/certs/ipsec-clients-cert.pem
>
> openssl pkcs12 -export -out ipsec-clients.p12 -inkey ipsec-clients-key.pem
> -in ipsec-clients-cert.pem -certfile ipsec-ca-cert.pem
> ######## commands end.
>
> IMPORTANT: The CN value of the ipsec-service-cert.pem MUST be the exact
> DNS resolvable domain of your IPsec server!!!
>
> Copy the  pkcs12 file ipsec-clients.p12 to the Windows 7 machine, and
> install it as shown on
> https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
>
> On the stateful firewall of my server I opened UDP ports 500 and 4500, but
> this was not sufficient. A major obstacle was, that the windows client is
> sending packet fragments (without port numbers), and I have to let it go
> through the firewall too. On FreeBSD, I am using ipfw, and the relevant
> part is:
>
> ...
> /sbin/ipfw -q add 5010 allow udp from any to me 500,4500 via $WAN in
> keep-state
> /sbin/ipfw -q add 5011 allow udp from any to me via $WAN in frag
> ...
>
> Best regards
>
> Rolf
>
> PS: About the L2TP/IPsec setup on a FreeBSD-Home-Server, using strongSwan
> together with mpd5, that works so very well for Mac OS X and iOS, I wrote a
> post on my BLog: http://blog.obsigna.net/?p=520. As said already, forget
> Windows in this respect.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140928/3c0a6d9a/attachment.html>


More information about the Users mailing list