October 17, 2015

Ubunut 14.04 install Strongswan IKE2 for Windows 7

1. sudo apt-get install strongswan  strongswan-plugin-eap-mschapv2
2. generate certificates using the following commands (change vpn.example.com to your actual domain name or IP address) (Source: http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801)
ipsec pki --gen --type rsa --size 4096 --outform pem > vpnca.key.pem
ipsec pki --self --flag serverAuth --in vpnca.key.pem --type rsa --digest sha1 \
    --dn "C=US, O=Example Company, CN=Example VPN CA" --ca > vpnca.crt.der
ipsec pki --gen --type rsa --size 4096 --outform pem > vpn.example.com.key.pem
ipsec pki --pub --in vpn.example.com.key.pem --type rsa > vpn.example.com.csr
ipsec pki --issue --cacert vpnca.crt.der --cakey vpnca.key.pem --digest sha1 \
    --dn "C=US, O=Example Company, CN=vpn.example.com" \
    --san "vpn.example.com" --flag serverAuth --outform pem \
    < vpn.example.com.csr > vpn.example.com.crt.pem 
openssl rsa -in vpn.example.com.key.pem -out vpn.example.com.key.der -outform DER

sudo cp vpnca.crt.der /etc/ipsec.d/cacerts
sudo cp vpn.example.com.crt.pem /etc/ipsec.d/certs
sudo cp vpn.example.com.key.der /etc/ipsec.d/private

3. import the above vpnca.crt.der file to your windows certificate store (as CER file). To install the trusted CA certificate locally, call up the Microsoft Management Console (mmc) and add the Certificates Snap-In. Then, It is of the utmost importance that you select Computer account, Go into the Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates folder,and select the Import action which will start the Certificate Import Wizard (https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapCert)

4. Edit /etc/ipsec.conf to be as follows: (source: https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig)

# ipsec.conf - strongSwan IPsec configuration file

config setup
    plutostart=no

conn %default
    keyexchange=ikev2
    ike=aes128-sha1-modp1024!
    esp=aes128-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no

conn win7 
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=vpnCert.pem
    leftid=@vpn.strongswan.org
    right=%any
    rightsourceip=10.10.3.0/24
    rightauth=eap-mschapv2
    #rightsendcert=never   # see note
    eap_identity=%any
    auto=add

5. Edit /etc/strongswan.conf to be as follows:
charon {
        dns1 = 8.8.8.8
        dns2 = 4.2.2.1
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

6. Edit /etc/ipsec.secrets to be as follows (make sure there is a space between the name and the ":", otherwise strongswan won't recognize the name):

: RSA vpn.example.com.key.der

carol : EAP "abcd1234"
dave  : EAP "fghj5678"

7. ipsec start; and then use ipsec status/statusall to check status;
8. Change server ip_forward to 1; and add NAT rule: 
    sudo iptables -t nat -A POSTROUTING  -o eth0 -j MASQUERADE
9.Server configuration is complete. Follow this guide to configure your Windows 7 client: http://support.purevpn.com/how-to-setup-purevpn-manually-on-windows-7-ikev2  or this guide:   https://supportforums.cisco.com/document/98366/flexvpn-ikev2-windows-7-builtin-client-ios-headend-part-i-certificate-authentication




No comments:

Post a Comment