strongSwan Configuration for a Single Windows 7 Client¶

Connection Definitions¶

# ipsec.conf - strongSwan IPsec configuration file

config setup
     plutostart=no

conn win7
     left=%defaultroute
     leftcert=aCert.pem
     leftsubnet=192.168.0.0/24
     right=%any
     rightsourceip=192.168.1.245
     rightid="C=AU, ST=Queensland, O=QUT, OU=ISI, CN=c, E=c@isi.qut.edu.au" 
     keyexchange=ikev2
     auto=add

• plutostart=no
  Only the IKEv2 charon daemon will be started but not the IKEv1 pluto daemon.

• left=%defaultroute
  The VPN gateway is reachable via the IP address of the default external network interface.
  Omitting the left parameter or setting it to left=%any will make the VPN
  gateway reachable via any available interface.

• leftcert=aCert.pem
  The X.509 certificate of the VPN gateway stored per default in the /etc/ipsec.d/certs/ directory.

• leftsubnet=192.168.0.0/24
  The protected network hidden behind the VPN gateway. The Windows 7 client always sends a
  0.0.0.0/0 traffic selector that is automatically narrowed by the VPN gateway to
  the actual leftsubnet definition. Multiple traffic selectors of the form
  leftsubnet=192.168.0.0/24,192.168.2.0/24 are also possible. If all IP traffic is
  to be tunneled, define leftsubnet=0.0.0.0/0.

• right=%any
  Since the IP address of a Windows 7 remote access client is usually assigned dynamically
  by the current ISP, any peer address is accepted.

• rightsourceip=192.168.1.245
  A Windows 7 client always requests a virtual IP address via the IKEv2 configuration payload (CP).
  The VPN gateway automatically assigns the virtual IP address defined by rightsourceip to the peer.

• rightid="C=AU, ST=Queensland, O=QUT, OU=ISI, CN=c, E=c@isi.qut.edu.au"
  Defines the IKEv2 ID of the remote peer. Windows 7 always sends the subject distinguished name contained
  in the Windows 7 machine certificate.

• keyexchange=ikev2
  Windows 7 uses the IKEv2 protocol to set up the IPsec tunnel. The default value of keyexchange
  is ikev1.

• auto=add
  The connection win7 is parsed and loaded by the the IKEv2 charon daemon but the VPN gateway will
  act as a responder and passively wait for the Window 7 client to start the IKE negotiation.

Authentication with RSA Private Key¶

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA aKey.pem "f4Dgs2uY5Ne7KS0E" 

If the RSA private key file stored in the /etc/ipsec.d/private/ directory is protected by
symmetric encryption, then the passphrase must be added as an additional argument.

Assignment of Internal DNS and WINS Servers¶

# /etc/strongswan.conf - strongSwan configuration file

charon {
  dns1 = 192.168.0.100
  dns2 = 192.168.0.101
  nbns1 = 192.168.0.150
  nbns2 = 192.168.0.151
}

Windows 7 requests internal DNS and WINS server information from the strongSwan gateway via the IKEv2 Configuration Payload (CP).
Up to two IPv4 or IPv6 DNS and WINS servers can be defined in the /etc/strongswan.conf configuration file starting with
strongSwan-4.2.12.