Windows 7 is particularly fussy about connecting to strongswan via IKEv2. The operating system contains checks that thoroughly verify the certificate. Contrasted to the blackberry IPSec client (and MacOS as well), Windows 7 will not accept pre-shared keys authentication (PSK) and insists on having the server's certificate installed into the machine's trusted root certificate store. The following is a guide, documenting how to install strongswan and how to create a separate configuration for these pesky Windows 7 clients.

Installing strongSwan and other required tools can be performed under Debian by issuing:

aptitude install strongswan strongswan-ikev2 strongswan-pki libcharon-extra-plugins

where strongswan-pki will be used to generate the certificates.

The following script will help you generate the necessary certificates for strongSwan that will be compatible with Windows 7 requirements.

genCert.sh

#!/bin/sh
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2018 - License: GNU GPLv3      ##
##  Please see: http://www.gnu.org/licenses/gpl.html for legal details,  ##
##  rights of fair usage, the disclaimer and warranty conditions.        ##
###########################################################################
## Simple script to generate the required certificates for strongSwan in #3
## order to allow Windows 7 clients to connect.                          ##
##                                                                       ##
## Requirements:                                                         ##
##   * pki Simple public key infrastructure (PKI) management tool        ##
##     part of strongSwan                                                ##
##                                                                       ##
###########################################################################
 
###########################################################################
##                           CONFIGURATION                               ##
###########################################################################
 
# This is the externally and internally visibile fully qualified domain
# name to which the clients will connect to. It is imperative that DNS
# properly resolves this name to the strongSwan IP address!
SERVER_FQDN="vpn.example.com"
 
# An ISO Alpha-2 country code (two letter country code) of the server.
COUNTRY_CODE="US"
 
# The organization name.
ORGANIZATION="Wizardry and Steamworks"
 
# A short description of the server for the certificate authority.
COMMON_NAME="Wizardry and Steamworks"
 
# (y/n) - whether to install the certificate to /etc/ipsec.d/
PERFORM_INSTALL="n"
 
###########################################################################
##                              INTERNALS                                ##
###########################################################################
 
ipsec pki --gen --type rsa --size 4096 --outform pem > CA.key.pem
ipsec pki --self --flag serverAuth --in CA.key.pem --type rsa \
    --digest sha1 \
    --dn "C=$COUNTRY_CODE, O=$ORGANIZATION, CN=$COMMON_NAME" \
    --ca > CA.crt.der
ipsec pki --gen --type rsa --size 4096 \
    --outform pem > "$SERVER_FQDN".key.pem
ipsec pki --pub --in "$SERVER_FQDN".key.pem \
    --type rsa > "$SERVER_FQDN".csr
ipsec pki --issue --cacert CA.crt.der --cakey CA.key.pem --digest sha1 \
    --dn "C=$COUNTRY_CODE, O=$ORGANIZATION, CN=$SERVER_FQDN" \
    --san "$SERVER_FQDN" --flag serverAuth \
    --outform pem < "$SERVER_FQDN".csr > "$SERVER_FQDN".crt.pem 
openssl rsa -in "$SERVER_FQDN".key.pem -out "$SERVER_FQDN".key.der \
    -outform DER
 
if [ x"$PERFORM_INSTALL" = x"y" ]; then
    cp CA.crt.der /etc/ipsec.d/cacerts
    cp "$SERVER_FQDN".crt.pem /etc/ipsec.d/certs
    cp "$SERVER_FQDN".key.der /etc/ipsec.d/private
fi

To use the script, download the genCert.sh file and make it executable by issuing:

chmod +x genCert.sh

Open the script in an editor and make the appropriate changes for the following parameters:

• SERVER_FQDN - the fully qualified domain name of the strongSwan server. This has to properly resolve to the IP address of the strongSwan server and it cannot be some fictive name,
• ORGANIZATION - change this to whatever organization name you desire,
• PERFORM_INSTALL - set this to y if you are under Debian in order to copy the generated certificates under /etc/ipsec.d/ (Debian compatible).

Note that the script sets the serverAuth flag on the certificate authority which is a Windows 7 requirement!

Under Windows 7, press Win+R to popup the Run dialog and type (alternatively, launch a command prompt and issue mmc):

mmc

in order to launch the Microsoft Management Console.

Navigate to File→Add/Remove Snap-In, select Certificates from the left pane named Available snap-ins and click the Add > button between the panes. You will be prompted by a dialog allowing you to chose between My user account, Service account and Computer account.

Pick the Computer account option and follow the prompts till you get the certificates interface.

Navigate to Personal→Certificates on the left pane and right-click in the middle of the right pane. Follow the menu All Tasks→Import… till a dialog pops up.

Now you have to transfer over the CA.crt.der from the strongSwan server from /etc/ipsec.d/cacerts/ to the Windows machine and select it when the dialog requires a file name.

Follow the following prompts by leaving them as they are and the certificate will have been imported in the personal machine certificate store.

The final step is to expand on the left pane Trusted Root Certificates→Certificates and drag and drop the certificate from the personal store.

Congratulations! The certificate is now installed and you can now close the Microsoft Management Panel.

Open an administrative command prompt (the quick way that requires PowerShell: press Win+R and type powershell.exe Start-Process cmd.exe -Verb runAs) and type:

certutil -enterprise -f -v -AddStore "Root" C:\CA.crt.der

where:

• C:\CA.crt.der is the path to the CA certificate that you have transferred over from the strongSwan server.

Edit the /etc/ipsec.services file in order to add the generated RSA private key. For instance, the script in the previous section will generate the private key of the server certificate named as vpn.example.com.key.der and place it under /etc/ipsec.d/private. Following the example, the /etc/ipsec.services file requires adding:

: RSA "vpn.example.com.key.der"

Users can now also be added underneath the private certificate key with the following syntax:

[DOMAIN\]USER : "PASSWORD"

where:

• DOMAIN is an optional domain name used by the IPSec Windows VPN client,
• USER is the username that you want to add,
• PASSWORD is the user's password.

For instance:

ash : EAP "testing123"

will allow the user ash to log-on without specifying a domain name and with the password testing123.

Finally, the required IPSec configuration for Windows 7 can be added to /etc/ipsec.conf:

conn Windows_7
        keyexchange=ikev2
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        left=%defaultroute
        # Will tell clients to route only traffic bound exclusively for the 
        # 192.168.0.0/24 network through the VPN connection. If this option
        # is set to 0.0.0.0 then all traffic will be routed by the client
        # through the VPN connection.
        leftsubnet=192.168.0.0/24
        leftauth=pubkey
        leftcert=vpn.example.com.crt.pem
        leftid=vpn.example.com
        right=%any
        rightsourceip=%dhcp
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any
        rekey=no
        mobike=yes
        auto=route

with the following possible changes:

• leftsubnet=192.168.0.0/24 should be changed to your server's network or to 0.0.0.0 in order to instruct Windows 7 clients to route all traffic through the VPN connection,
• leftcert=vpn.example.com.crt.pem should be changed to the server certificate generated in the previous section and placed under /etc/ipsec.d/certs,
• vpn.example.com is the FQDN of the server as defined by the SERVER_FQDN variable in the genCert.sh script from the previous section.

Open Control Panel and go to the Network and Sharing Centre to setup a new connection.

Pick the "workplace" / VPN connection type.

Choose the option to use the Internet to connect.

Enter the address to connect to - following the example, this should be vpn.example.com and tick the box labeled Don't connect npw; just set it up so I can connect later or else Windows 7 will run through all possible VPN types trying to connect and will ultimately fail.

On the next screen you will be asked to fill in a username and password - this can be done here, if you like. Finally, the last screen allows you to close the wizard without connecting. We're going to have to switch the VPN type to IKEv2 manually so, go to the adapter settings after you are done with the wizard.

Right-click and select properties on the new VPN connection in order to browse to the "Security" tab.

From the drop-down, select IKEv2 and then close the dialog without making any other changes.

You can now attempt a connection!

If you get the dreaded error Error 13801: IKE authentication credentials are unacceptable do not be mislead into believing that you have typed up your username and password wrongly.

The error, in fact, occurs in the IKE response phase 1 when the server sends the CA certificate and it is rejected by Windows for the following possible reasons:

• The certificate is expired.
• The trusted root for the certificate is not present on the client (you have not properly installed the CA certificate into the trusted root certificate store).
• The subject name of the certificate does not match the remote computer (the "common name" of the certificate does not match the server FQDN)
• The certificate does not have the required Enhanced Key Usage (EKU) values assigned (this refers to the serverAuth flag being specified when creating the certificate authority via the genCert.sh script - should not happen if you have been following the guide!).

Requiring server side certificates is inconvenient due to all clients having to install the CA certificate. To make things easier, one could create a bundle containing the CA certificate and a batch script using certutil to quickly deploy across multiple machines.