Project

General

Profile

strongSwan EAP Configuration for Multiple Windows 7 Clients

Connection Definitions

# ipsec.conf - strongSwan IPsec configuration file

config setup
    plutostart=no

conn %default
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no

conn win7 
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=vpnCert.pem
    leftid=@vpn.strongswan.org
    right=%any
    rightsourceip=10.10.3.0/24
    rightauth=eap-mschapv2
    #rightsendcert=never   # see note
    eap_identity=%any
    auto=add

  • plutostart=no
    Only the IKEv2 charon daemon will be started but not the IKEv1 pluto daemon.
  • keyexchange=ikev2
    Windows 7 uses the IKEv2 protocol to set up the IPsec tunnel. The default value of keyexchange
    is ikev1.
  • ike=aes256-sha1-modp1024!
    This restricts the IKE cipher suites to what Windows 7 proposes. If omitted any supported
    cipher suite will be accepted by strongSwan.
  • esp=aes256-sha1!
    This restricts the ESP cipher suites to what Windows 7 proposes. If omitted any supported
    cipher suite will be accepted by strongSwan.
  • dpdaction=clear
    Activates the optional Dead Peer Detection (DPD) function. If the connection to the peer is lost
    then the corresponding IKE SA and dependent IPsec SAs will be cleared automatically.
  • dpddelay=300s
    If no inbound ESP traffic has been received over the last 300 seconds an IKE INFORMATIONAL request
    is sent in order to check the vitality of the peer. Since MOBIKE might need several minutes to
    adapt to a changed network topology this parameter should have a sufficiently high value.
  • rekey=no
    Windows 7 does not like a VPN gateway to take the initiative.
  • left=%any
    The VPN gateway is reachable via any network interface. This is important in
    multi-homing scenarios. As an alternative the external default interface could
    be selected with left=%defaultroute.
  • leftsubnet=0.0.0.0/0
    The protected network hidden behind the VPN gateway. The Windows 7 client always sends a
    0.0.0.0/0 traffic selector that is automatically narrowed by the VPN gateway to
    the actual leftsubnet definition. Multiple traffic selectors of the form
    leftsubnet=192.168.0.0/24,192.168.2.0/24 are also possible. If all IP traffic is
    to be tunneled as in our example, define leftsubnet=0.0.0.0/0.
  • leftauth=pubkey
    The VPN gateway will authenticate itself using a public key signature.
  • leftcert=vpnCert.pem
    The X.509 certificate of the VPN gateway stored per default in the /etc/ipsec.d/certs/ directory.
  • leftid=@vpn.strongswan.org
    The certificate vpnCert.pem contains the FQDN vpn.strongswan.org as a subjectAltName
    X.509v3 certificate extension.
  • right=%any
    Since the IP address of a Windows 7 remote access client is usually assigned dynamically
    by the current ISP, any peer address is accepted. If no rightid is defined, then any
    peer presenting a certificate signed by one of the trusted authorities stored in
    /etc/ipsec.d/cacerts/ will be accepted.
  • rightsourceip=10.10.3.0/24
    Windows 7 clients always request a virtual IP address via the IKEv2 configuration payload (CP).
    The VPN gateway automatically assigns virtual IP addresses out of an address pool defined by rightsourceip.
  • rightauth=eap-mschapv2
    The peers are authenticated via the EAP-MSCHAPv2 protocol.
  • rightsendcert=never
    Since the clients authenticate themselves using EAP-MSCHAPv2 the gateway is not going to
    send any certificate requests. However, if strongSwan serves other clients using certificate
    authentication, never should not be used, as a responder usually can not enforce this
    option for specific connections.
  • eap_identity=%any
    The strongSwan gateway is using the EAP Identity protocol to request an EAP identity different from
    the peer's IKEv2 identity.
  • auto=add
    The connection win7 is parsed and loaded by the the IKEv2 charon daemon but the VPN gateway will
    act as a responder and passively wait for the Window 7 client to start the IKE negotiation.

Server RSA Private Key and Client Preshared EAP Credentials

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA vpnKey.pem

carol : EAP "abcd1234" 
dave  : EAP "fghj5678" 

In the example above the RSA private key file vpnKey.pem stored in the /etc/ipsec.d/private/
directory is not protected by symmetric encryption.

The format of the EAP MSCHAPv2 user credentials is

  [<domain>\]<username> : EAP "<plaintext password>" 

Assignment of Internal DNS and WINS Servers

# /etc/strongswan.conf - strongSwan configuration file

charon {
  dns1 = 62.2.17.60
  dns2 = 62.2.24.162
  nbns1 = 10.10.1.1
  nbns2 = 10.10.0.1
}

Windows 7 requests internal DNS and WINS server information from the strongSwan gateway via the IKEv2 Configuration Payload (CP).
Up to two IPv4 or IPv6 DNS and WINS servers can be defined in the /etc/strongswan.conf configuration file.