strongSwan

= Windows Vista =

This is an easy to follow how-to guide to connecting Windows Vista with a strongSwan IPsec gateway.

Road Warrior Scenario (PSK)

The scenario we want to implement is that of a typical road warrior. strongSwan is used as gateway (moon) and Windows Vista will serve as road warrior (carol). A pre-shared key (PSK) will be used to authenticate the two parties. The gateway will provide access to the ''10.1.0.0/16'' network. This situation is shown in the following image.

[[Image(overview.png, nolink)]]

=== strongSwan Configuration ===

The required configuration in ''/etc/ipsec.conf'' is as follow:

{{{
conn vista
left=%defaultroute
leftsubnet=10.1.0.0/16
right=%any
authby=secret
pfs=no
auto=add
}}}

Since Windows Vista does not implement Perfect Forward Secrecy it's important to add '''pfs=no'''.

The PSK is stored in ''/etc/ipsec.secrets'':

{{{
: PSK "strongSwan"
}}}

=== Windows Vista Configuration ===

IPsec in Vista is configured in a Microsoft Management Console (MMC) module called ''Windows Firewall with Advanced Security''. This module is started via ''Control Panel'' - ''Administrative Tools'' or directly by running '''wf.msc'''. The following screenshot shows the first option (click the image to view it in its original size).

[[Image(administrative_tools.png, width=50%)]]

The window shown in the next screenshot should show up.

[[Image(edit_general_settings.png, 50%)]]

==== General IPsec Settings ====

As illustrated in the above screenshot, we first have to configure some general settings. So, right-click the root node and select ''Properties''. In the dialog that shows up, select the tab ''IPsec Settings'' and click ''Customize...'' (see next screenshots). What we want to change are the Quick Mode settings - select ''Advanced'' and click ''Customize...''.

[[Image(ipsec_settings.png)]] [[Image(ipsec_settings_customize.png, height=459px)]]

By default Vista tries to create an AH Child SA. Since we want our Child SA to be secured by ESP, tick the corresponding checkbox, as shown in the next screen capture.

[[Image(ipsec_settings_enable_encryption.png)]]

Confirm all dialogs with ''OK''.

==== Creating a Connection Security Rule ====

Now, we are ready to create a new ''Connection Security Rule''. Select the equally named item in the tree and click ''New Rule...'' in the actions pane on the right.

[[Image(new_rule.png, 50%)]]

This loads the wizard shown in the next screenshot. What we like to create is a '''Tunnel''' - select that option and click ''Next >''.

[[Image(wizard_1.png)]]

The next page of the wizard is the most important one. It defines which networks need to be secured and between what hosts the tunnel shall be created. We want all traffic between our host (referring to the overview, 192.168.0.100) and the ''10.1.0.0/16'' network to be secured. The tunnel is between our host and the gateway (192.168.0.1). It is important to provide the exact same settings as defined in the ''/etc/ipsec.conf'', it won't work otherwise. Click next if you are done.

[[Image(wizard_2.png)]]

As defined in the strongSwan configuration, authentication is done by PSK. Select that option and type in the key (again, this has to be exactly the same as in ''/etc/ipsec.secrets'').

[[Image(wizard_3.png)]]

Just confirm the next wizard page by clicking ''Next >'' and, finally, choose a name and click ''Finish''.

[[Image(wizard_4.png, height=200px)]] [[Image(wizard_5.png, height=200px)]]

That's it. If you want to check whether there is currently an active connection, expand ''Monitoring'' and then ''Security Associations'' in the left tree and check whether there are any Main or Quick Mode SAs established.

[[Image(final_rule.png, 50%)]]

==== Testing the Setup ====

To test the setup we need to generate traffic between Vista and one of the hosts in the target network. A simple ''ping 10.1.0.1'' should do and should produce something similar to the following output.

[[Image(command_prompt.png)]]

Note that the first ping just serves as a trigger to initiate the IPsec connection.