[strongSwan] Get working Win7 roadwarriors accross psk or ipsec-cert or ikev2-cert with Strongswan ! Is it possibe ?

CpServiceSPb . cpservicespb at gmail.com
Sun Sep 28 01:25:56 CEST 2014 

So, I recommended very much to make the fiollowing:
AssumeUDPEncapsulationContextOnSendRule
<http://www.giganews.com/support/vyprvpn/vpn-setup/windows-7/l2tp.html> or
AssumeUDPEncapsulationContextOnSendRule
<http://support2.microsoft.com/kb/926179/ru>. There are instructions for
Win XP and for Win 7.
I made it and Win 7 became working with l2tp/psk and l2tp/certificate.
*Without AssumeUDPEncapsulationContextOnSendRule I got:*
14[KNL] deleting policy *Strongswan external IP*/32[udp/l2f] ===
217.118.78.117/32[udp/l2f] out  (mark 0/0x00000000)
14[KNL] policy still used by another CHILD_SA, not removed
14[KNL] deleting policy 217.118.78.117/32[udp/l2f] === *Strongswan external
IP*/32[udp/l2f] in  (mark 0/0x00000000)
14[KNL] policy still used by another CHILD_SA, not removed
*With AssumeUDPEncapsulationContextOnSendRule I got working connections as
for l2tp/psk as for l2tp/certificate; but for ike2 is still 13801 error or
trouble with IP assignment.*


*But with Softether Vpn server <http://www.softether.org/> Win 7 with
l2tp/psk works without setting up **AssumeUDPEncapsulationContextOnSendRule
*

*fine !*
I didn' t try l2tp/certificate with SoftEther due to unsupporting such
configuration by it.
As I know Nat module for SoftEther is some special and is written by
SoftEther developers and called SNAT (secure NAT) .
As following, I think that Strongswan developers should look at SoftEther
SNAT working that to add some interesting or change existing Strongswan NAT
behaviour.

P. S.: I suppose that there is some point connected with Nat-t port,
Strongswan doesn' t understand packet come out from not 4500, but SoftEther
does. But I can be wrong.

2014-09-28 1:08 GMT+04:00 CpServiceSPb . <cpservicespb at gmail.com>:

> My Strongswan copy is not behind NAT.
> By the way I have been able to set up succerssfully one copy of Win 7 for
> l2tp/psk from behind NAT.
> But for other Win 7 copy (I specially tested behind different NATs,
> without NAT also) .
>
> Even asI wrote I tested without NAT (client->bluetooth->Sony
> Z1->3G/4G->Internet->StrongSwan at Ubuntu) and ^#^%^% nothing changes.
> When I tried to use Android connection (from this Sony Z1) , I was
> successful as accross psk as certificate (ikev1) .
>
> So, as for Win XP, there weren' t roubles as I remember.
>
> I issued certificate by easy-rsa soft at Easy-rsa github
> <https://github.com/OpenVPN/easy-rsa> or at Easy-rsa desc
> <http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html>
> .
> I added subjectAltName as external IP as internal FQDN as to server as to
> client certificate.
> Also I added extendedKeyUsage=1.3.6.1.5.5.8.2.2, serverAuth to server
> certificate.
>
> But just now I am testing ikev2 and getting 13801 error (for machine
> certificate) .
>
>
> 2014-09-28 0:53 GMT+04:00 Dr. Rolf Jansen <rj at obsigna.com>:
>
> Am 27.09.2014 um 15:12 schrieb CpServiceSPb . <cpservicespb at gmail.com>:
>>
>> > Can somebody give step by step instruction and/or working Ca, Server &
>> Client certificate with testing data as working example that Win 7 could
>> work accross psk/ikev1/ikev2 ?
>>
>> I am running strongSwan 5.2.0 on a FreeBSD machine, and I also had
>> difficulties to get a working setup with Windows 7 clients.
>>
>> My findings.
>>
>> Forget L2TP/IPsec with Windows 7. While Mac OS X and iOS clients are
>> happily connecting to my server in any situation, i.e. IKEv1 with
>> certificates or PSK, without NAT, with Single-NAT, with Double-NAT, Windows
>> 7 works only without NAT, and that is pretty much useless, given that road
>> warriors are needing connectivity from hotels, airports, LAN-Houses, mostly
>> from behind any kind of NAT.
>>
>> The only setup which works for me with the Windows 7 client behind NAT is
>> IKEv2 with machine certificates. The server must listen on the public
>> interface, though.
>>
>> My ipsec.conf
>>
>> conn IKEv2
>>    keyexchange = ikev2
>>    leftcert = ipsec-service-cert.pem
>>    rightcert = ipsec-clients-cert.pem
>>    left = %any
>>    leftsubnet = 192.168.1.0/24
>>    right = %any
>>    rightdns = 192.168.1.1
>>    rightsourceip = 192.168.1.176/28
>>    auto = add
>>
>> My ipsec.secrets:
>>
>> : RSA ipsec-service-key.pem
>>
>>
>> For setting up the CA, and the certificates, I used the PKI tools that
>> came together with strongSwan. Here comes the list of commands without
>> comments -- use man if you are in doubt). Note, on FreeBSD, the $PREFIX is
>> /usr/local, and I don't know where Ubuntu store everything, perhaps you
>> need to correct some cert locations.
>>
>> As user root do:
>> ######## commands begin:
>> mkdir ~/ipsec-certs
>> cd  ~/ipsec-certs
>> pki --gen --outform pem > ipsec-ca-key.pem
>> pki --self --outform pem --in ipsec-ca-key.pem --digest sha256 --ca --dn
>> "C=DE, O=Example, CN=example.com CA" > ipsec-ca-cert.pem
>>
>> pki --gen --outform pem > ipsec-service-key.pem
>> pki --pub --in ipsec-service-key.pem | \
>> pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem
>> --cakey ipsec-ca-key.pem --flag serverAuth --flag ikeIntermediate --san
>> example.com --dn "C=DE, O=Example, CN=example.com" >
>> ipsec-service-cert.pem
>>
>> pki --gen --outform pem > ipsec-clients-key.pem
>> pki --pub --in ipsec-clients-key.pem | \
>> pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem
>> --cakey ipsec-ca-key.pem --san ipsec-clients.example.com --dn "C=DE,
>> O=Example, CN=ipsec-clients.example.com" > ipsec-clients-cert.pem
>>
>> cp ipsec-ca-cert.pem /usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem
>> cp ipsec-service-key.pem
>> /usr/local/etc/ipsec.d/private/ipsec-service-key.pem
>> cp ipsec-clients-key.pem
>> /usr/local/etc/ipsec.d/private/ipsec-clients-key.pem
>> cp ipsec-service-cert.pem
>> /usr/local/etc/ipsec.d/certs/ipsec-service-cert.pem
>> cp ipsec-clients-cert.pem
>> /usr/local/etc/ipsec.d/certs/ipsec-clients-cert.pem
>>
>> openssl pkcs12 -export -out ipsec-clients.p12 -inkey
>> ipsec-clients-key.pem -in ipsec-clients-cert.pem -certfile ipsec-ca-cert.pem
>> ######## commands end.
>>
>> IMPORTANT: The CN value of the ipsec-service-cert.pem MUST be the exact
>> DNS resolvable domain of your IPsec server!!!
>>
>> Copy the  pkcs12 file ipsec-clients.p12 to the Windows 7 machine, and
>> install it as shown on
>> https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
>>
>> On the stateful firewall of my server I opened UDP ports 500 and 4500,
>> but this was not sufficient. A major obstacle was, that the windows client
>> is sending packet fragments (without port numbers), and I have to let it go
>> through the firewall too. On FreeBSD, I am using ipfw, and the relevant
>> part is:
>>
>> ...
>> /sbin/ipfw -q add 5010 allow udp from any to me 500,4500 via $WAN in
>> keep-state
>> /sbin/ipfw -q add 5011 allow udp from any to me via $WAN in frag
>> ...
>>
>> Best regards
>>
>> Rolf
>>
>> PS: About the L2TP/IPsec setup on a FreeBSD-Home-Server, using strongSwan
>> together with mpd5, that works so very well for Mac OS X and iOS, I wrote a
>> post on my BLog: http://blog.obsigna.net/?p=520. As said already, forget
>> Windows in this respect.
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140928/d3c1b036/attachment-0001.html>

More information about the Users mailing list