[strongSwan] Minimal Windows Configuration with strongSwan

Fri Jul 31 17:17:29 CEST 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello David,

There's a document about the certificate requirements:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq

Please take care to always address the mailing list as well.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 31.07.2015 um 17:15 schrieb David McLaughlin:
> Thanks.
>
> This sounds most promising.
>
> I have tried to use a purchased wildcard certificate we have, but it sounds like you are saying there may be something I need to add to the cert or have on the cert to get it to work.
>
> Currently I have had to add the cert to my Windows client to get them to work.
>
> I have also tried using a self-signed certificate and creating a ca for it.
>
> David
>
> On Fri, Jul 31, 2015 at 7:55 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello David,
>
> Then you need to buy a certificate with SAN fields from a public CA, as that
> is needed to authenticate the server to the client any scenario. Windows
> doesn't support PSK authentication for roadwarrior type connections
> in any scenario for a good reason.
>
> Look at the documentation for interoperability for Windows 7 and newer
> on the wiki[1]. You probably want option C. Using a certificate
> from a public CA should work around the need to import a
> CA certificate on the client.
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 31.07.2015 um 07:03 schrieb David McLaughlin:
> > I would like to have a strongSwan gateway set up for VPN with Windows 7 or better clients and have the clients have minimal configuration.
>
> > In particular, I *don't* want my users to
> > 1) have to install non-native VPN clients.
> > 2) install certificates onto their machine.
>
> > It would also be nice to
> > 1) not do anything in DNS except set A or CNAME records.
>
> > So, from the client point of view, they start Windows, enter the gateway hostname, a username and password, and perhaps a pre-shared key and that is it.
>
> > I've tried many, many things on the strongSwan side---nothing has worked yet.
>
> > Has anyone been successful at this?
>
> > Thanks,
> > David McLaughlin
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVu5GFAAoJEDg5KY9j7GZYLEkP/i0+6nPVKEcZQ1aRjK4tnC76
vRrENZX/ll+ExawmPrXNveP1SDzzvyRsz9AIAOQDSSYOtHio6KPIF3o0ZtmVLMBS
j0QmngRXHWnRztUdO+kbRgI0n+ycfU1ID606MF0+0aeD32TkaTOAfPHZsrvDF/Ii
/Ovnjna5oYDtpGgSfpFXGrpPp8FkvOAAs09Ak7S8Yas0TkOywOMp6f9cJAfAVUbe
aQgBIujT/+aElYOU99YAkQd6/e30QxsCReQzqx9vbNfK5nxMae7vkgHWehTcMZaZ
pX54DO582/6tBb5DXBrokz4j0VQ15tgEA31JbYuLnUTr3jYZWdjNLgXNN8fnNl5v
1/SXtFl0wy9J/vCOhiDne/fZ+4jsRrKx+Mt9HXIhYNwkCkHLbbMhNtpkDrjYMQ6e
sGi1nJKEv0PKpn/d+BvgwyS7r8Z94Jgzk8VJTZOvu/oPvYi0Q/TJ4qzeg/TsRC3D
JZvqpdnveMAR/AD8u2eatXr90ypWVIdD/ZAfsq/SQe1Y5QfGTLKSkGNAvjCJdiy3
y+4Mg2B50wIslbx3GZYI9kcqZ2s+CxKs9Ak4Ltjv4iYldDNugxgON++KFBfyOFqd
MO/FAFx0Qwpf5vFmirjU4U4XafXZPWdMQUuwfet+CXzbC/LSwxG65RkLI5fhJkcU
szLm/TX+CptfocahtCnP
=Ajk/
-----END PGP SIGNATURE-----