Table of Contents
About
Windows 7 is particularly fussy about connecting to strongswan via IKEv2. The operating system contains checks that thoroughly verify the certificate. Contrasted to the blackberry IPSec client (and MacOS as well), Windows 7 will not accept pre-shared keys authentication (PSK) and insists on having the server's certificate installed into the machine's trusted root certificate store. The following is a guide, documenting how to install strongswan and how to create a separate configuration for these pesky Windows 7 clients.
Installing strongSwan
Installing strongSwan and other required tools can be performed under Debian by issuing:
aptitude install strongswan strongswan-ikev2 strongswan-pki libcharon-extra-plugins
where strongswan-pki will be used to generate the certificates.
Generating Certificates
The following script will help you generate the necessary certificates for strongSwan that will be compatible with Windows 7 requirements.
- genCert.sh
#!/bin/sh ########################################################################### ## Copyright (C) Wizardry and Steamworks 2018 - License: GNU GPLv3 ## ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## ## rights of fair usage, the disclaimer and warranty conditions. ## ########################################################################### ## Simple script to generate the required certificates for strongSwan in #3 ## order to allow Windows 7 clients to connect. ## ## ## ## Requirements: ## ## * pki Simple public key infrastructure (PKI) management tool ## ## part of strongSwan ## ## ## ########################################################################### ########################################################################### ## CONFIGURATION ## ########################################################################### # This is the externally and internally visibile fully qualified domain # name to which the clients will connect to. It is imperative that DNS # properly resolves this name to the strongSwan IP address! SERVER_FQDN="vpn.example.com" # An ISO Alpha-2 country code (two letter country code) of the server. COUNTRY_CODE="US" # The organization name. ORGANIZATION="Wizardry and Steamworks" # A short description of the server for the certificate authority. COMMON_NAME="Wizardry and Steamworks" # (y/n) - whether to install the certificate to /etc/ipsec.d/ PERFORM_INSTALL="n" ########################################################################### ## INTERNALS ## ########################################################################### ipsec pki --gen --type rsa --size 4096 --outform pem > CA.key.pem ipsec pki --self --flag serverAuth --in CA.key.pem --type rsa \ --digest sha1 \ --dn "C=$COUNTRY_CODE, O=$ORGANIZATION, CN=$COMMON_NAME" \ --ca > CA.crt.der ipsec pki --gen --type rsa --size 4096 \ --outform pem > "$SERVER_FQDN".key.pem ipsec pki --pub --in "$SERVER_FQDN".key.pem \ --type rsa > "$SERVER_FQDN".csr ipsec pki --issue --cacert CA.crt.der --cakey CA.key.pem --digest sha1 \ --dn "C=$COUNTRY_CODE, O=$ORGANIZATION, CN=$SERVER_FQDN" \ --san "$SERVER_FQDN" --flag serverAuth \ --outform pem < "$SERVER_FQDN".csr > "$SERVER_FQDN".crt.pem openssl rsa -in "$SERVER_FQDN".key.pem -out "$SERVER_FQDN".key.der \ -outform DER if [ x"$PERFORM_INSTALL" = x"y" ]; then cp CA.crt.der /etc/ipsec.d/cacerts cp "$SERVER_FQDN".crt.pem /etc/ipsec.d/certs cp "$SERVER_FQDN".key.der /etc/ipsec.d/private fi
To use the script, download the genCert.sh file and make it executable by issuing:
chmod +x genCert.sh
Open the script in an editor and make the appropriate changes for the following parameters:
SERVER_FQDN- the fully qualified domain name of the strongSwan server. This has to properly resolve to the IP address of the strongSwan server and it cannot be some fictive name,ORGANIZATION- change this to whatever organization name you desire,PERFORM_INSTALL- set this toyif you are under Debian in order to copy the generated certificates under/etc/ipsec.d/(Debian compatible).
Note that the script sets the serverAuth flag on the certificate authority which is a Windows 7 requirement!
Installing the Certificate Authority on Windows
Under Windows 7, press Win+R to popup the Run dialog and type (alternatively, launch a command prompt and issue mmc):
mmc
in order to launch the Microsoft Management Console.
Navigate to File→Add/Remove Snap-In, select Certificates from the left pane named Available snap-ins and click the Add > button between the panes. You will be prompted by a dialog allowing you to chose between My user account, Service account and Computer account.
Pick the Computer account option and follow the prompts till you get the certificates interface.
Navigate to Personal→Certificates on the left pane and right-click in the middle of the right pane. Follow the menu All Tasks→Import… till a dialog pops up.
Now you have to transfer over the CA.crt.der from the strongSwan server from /etc/ipsec.d/cacerts/ to the Windows machine and select it when the dialog requires a file name.
Follow the following prompts by leaving them as they are and the certificate will have been imported in the personal machine certificate store.
The final step is to expand on the left pane Trusted Root Certificates→Certificates and drag and drop the certificate from the personal store.
Congratulations! The certificate is now installed and you can now close the Microsoft Management Panel.
In One Line
Open an administrative command prompt (the quick way that requires PowerShell: press Win+R and type powershell.exe Start-Process cmd.exe -Verb runAs) and type:
certutil -enterprise -f -v -AddStore "Root" C:\CA.crt.der
where:
C:\CA.crt.deris the path to the CA certificate that you have transferred over from the strongSwan server.
Configuring strongSwan
Edit the /etc/ipsec.services file in order to add the generated RSA private key. For instance, the script in the previous section will generate the private key of the server certificate named as vpn.example.com.key.der and place it under /etc/ipsec.d/private. Following the example, the /etc/ipsec.services file requires adding:
: RSA "vpn.example.com.key.der"
Users can now also be added underneath the private certificate key with the following syntax:
[DOMAIN\]USER : "PASSWORD"
where:
DOMAINis an optional domain name used by the IPSec Windows VPN client,USERis the username that you want to add,PASSWORDis the user's password.
For instance:
ash : EAP "testing123"
will allow the user ash to log-on without specifying a domain name and with the password testing123.
Finally, the required IPSec configuration for Windows 7 can be added to /etc/ipsec.conf:
conn Windows_7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
left=%defaultroute
# Will tell clients to route only traffic bound exclusively for the
# 192.168.0.0/24 network through the VPN connection. If this option
# is set to 0.0.0.0 then all traffic will be routed by the client
# through the VPN connection.
leftsubnet=192.168.0.0/24
leftauth=pubkey
leftcert=vpn.example.com.crt.pem
leftid=vpn.example.com
right=%any
rightsourceip=%dhcp
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
rekey=no
mobike=yes
auto=route
with the following possible changes:
leftsubnet=192.168.0.0/24should be changed to your server's network or to0.0.0.0in order to instruct Windows 7 clients to route all traffic through the VPN connection,leftcert=vpn.example.com.crt.pemshould be changed to the server certificate generated in the previous section and placed under/etc/ipsec.d/certs,vpn.example.comis the FQDN of the server as defined by theSERVER_FQDNvariable in thegenCert.shscript from the previous section.
Creating a Windows IPSec VPN Connection
Open Control Panel and go to the Network and Sharing Centre to setup a new connection.
Pick the "workplace" / VPN connection type.
Choose the option to use the Internet to connect.
Enter the address to connect to - following the example, this should be vpn.example.com and tick the box labeled Don't connect npw; just set it up so I can connect later or else Windows 7 will run through all possible VPN types trying to connect and will ultimately fail.
On the next screen you will be asked to fill in a username and password - this can be done here, if you like. Finally, the last screen allows you to close the wizard without connecting. We're going to have to switch the VPN type to IKEv2 manually so, go to the adapter settings after you are done with the wizard.
Right-click and select properties on the new VPN connection in order to browse to the "Security" tab.
From the drop-down, select IKEv2 and then close the dialog without making any other changes.
You can now attempt a connection!
Troubleshooting
If you get the dreaded error Error 13801: IKE authentication credentials are unacceptable do not be mislead into believing that you have typed up your username and password wrongly.
The error, in fact, occurs in the IKE response phase 1 when the server sends the CA certificate and it is rejected by Windows for the following possible reasons:
- The certificate is expired.
- The trusted root for the certificate is not present on the client (you have not properly installed the CA certificate into the trusted root certificate store).
- The subject name of the certificate does not match the remote computer (the "common name" of the certificate does not match the server FQDN)
- The certificate does not have the required Enhanced Key Usage (EKU) values assigned (this refers to the
serverAuthflag being specified when creating the certificate authority via thegenCert.shscript - should not happen if you have been following the guide!).
Finishing Comments
Requiring server side certificates is inconvenient due to all clients having to install the CA certificate. To make things easier, one could create a bundle containing the CA certificate and a batch script using certutil to quickly deploy across multiple machines.
For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.