strongSwan EAP Configuration for Multiple Windows 7 Clients¶
Connection Definitions¶
# ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no conn win7 left=%any leftsubnet=0.0.0.0/0 leftauth=pubkey leftcert=vpnCert.pem leftid=@vpn.strongswan.org right=%any rightsourceip=10.10.3.0/24 rightauth=eap-mschapv2 #rightsendcert=never # see note eap_identity=%any auto=add
- plutostart=no
Only the IKEv2 charon daemon will be started but not the IKEv1 pluto daemon.
- keyexchange=ikev2
Windows 7 uses the IKEv2 protocol to set up the IPsec tunnel. The default value of keyexchange
is ikev1.
- ike=aes256-sha1-modp1024!
This restricts the IKE cipher suites to what Windows 7 proposes. If omitted any supported
cipher suite will be accepted by strongSwan.
- esp=aes256-sha1!
This restricts the ESP cipher suites to what Windows 7 proposes. If omitted any supported
cipher suite will be accepted by strongSwan.
- dpdaction=clear
Activates the optional Dead Peer Detection (DPD) function. If the connection to the peer is lost
then the corresponding IKE SA and dependent IPsec SAs will be cleared automatically.
- dpddelay=300s
If no inbound ESP traffic has been received over the last 300 seconds an IKE INFORMATIONAL request
is sent in order to check the vitality of the peer. Since MOBIKE might need several minutes to
adapt to a changed network topology this parameter should have a sufficiently high value.
- rekey=no
Windows 7 does not like a VPN gateway to take the initiative.
- left=%any
The VPN gateway is reachable via any network interface. This is important in
multi-homing scenarios. As an alternative the external default interface could
be selected with left=%defaultroute.
- leftsubnet=0.0.0.0/0
The protected network hidden behind the VPN gateway. The Windows 7 client always sends a
0.0.0.0/0 traffic selector that is automatically narrowed by the VPN gateway to
the actual leftsubnet definition. Multiple traffic selectors of the form
leftsubnet=192.168.0.0/24,192.168.2.0/24 are also possible. If all IP traffic is
to be tunneled as in our example, define leftsubnet=0.0.0.0/0.
- leftauth=pubkey
The VPN gateway will authenticate itself using a public key signature.
- leftcert=vpnCert.pem
The X.509 certificate of the VPN gateway stored per default in the /etc/ipsec.d/certs/ directory.
- leftid=@vpn.strongswan.org
The certificate vpnCert.pem contains the FQDN vpn.strongswan.org as a subjectAltName
X.509v3 certificate extension.
- right=%any
Since the IP address of a Windows 7 remote access client is usually assigned dynamically
by the current ISP, any peer address is accepted. If no rightid is defined, then any
peer presenting a certificate signed by one of the trusted authorities stored in
/etc/ipsec.d/cacerts/ will be accepted.
- rightsourceip=10.10.3.0/24
Windows 7 clients always request a virtual IP address via the IKEv2 configuration payload (CP).
The VPN gateway automatically assigns virtual IP addresses out of an address pool defined by rightsourceip.
- rightauth=eap-mschapv2
The peers are authenticated via the EAP-MSCHAPv2 protocol.
- rightsendcert=never
Since the clients authenticate themselves using EAP-MSCHAPv2 the gateway is not going to
send any certificate requests. However, if strongSwan serves other clients using certificate
authentication, never should not be used, as a responder usually can not enforce this
option for specific connections.
- eap_identity=%any
The strongSwan gateway is using the EAP Identity protocol to request an EAP identity different from
the peer's IKEv2 identity.
- auto=add
The connection win7 is parsed and loaded by the the IKEv2 charon daemon but the VPN gateway will
act as a responder and passively wait for the Window 7 client to start the IKE negotiation.
Server RSA Private Key and Client Preshared EAP Credentials¶
# /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA vpnKey.pem carol : EAP "abcd1234" dave : EAP "fghj5678"
In the example above the RSA private key file vpnKey.pem stored in the /etc/ipsec.d/private/
directory is not protected by symmetric encryption.
The format of the EAP MSCHAPv2 user credentials is
[<domain>\]<username> : EAP "<plaintext password>"
Assignment of Internal DNS and WINS Servers¶
# /etc/strongswan.conf - strongSwan configuration file charon { dns1 = 62.2.17.60 dns2 = 62.2.24.162 nbns1 = 10.10.1.1 nbns2 = 10.10.0.1 }
Windows 7 requests internal DNS and WINS server information from the strongSwan gateway via the IKEv2 Configuration Payload (CP).
Up to two IPv4 or IPv6 DNS and WINS servers can be defined in the /etc/strongswan.conf configuration file.