strongSwan Configuration for Multiple Windows 7 Clients¶
Connection Definitions¶
# ipsec.conf - strongSwan IPsec configuration file conn win7 leftcert=aCert.pem leftsubnet=192.168.0.0/24 rightsourceip=192.168.1.0/24 keyexchange=ikev2 auto=add
- leftcert=aCert.pem
The X.509 certificate of the VPN gateway stored per default in the /etc/ipsec.d/certs/ directory.
- leftsubnet=192.168.0.0/24
The protected network hidden behind the VPN gateway. The Windows 7 client always sends a
0.0.0.0/0 traffic selector that is automatically narrowed by the VPN gateway to
the actual leftsubnet definition. Multiple traffic selectors of the form
leftsubnet=192.168.0.0/24,192.168.2.0/24 are also possible. If all IP traffic is
to be tunneled, define leftsubnet=0.0.0.0/0.
- rightsourceip=192.168.1.0/24
Windows 7 clients always request a virtual IP address via the IKEv2 configuration payload (CP).
The VPN gateway automatically assigns virtual IP addresses out of an address pool defined by rightsourceip.
- keyexchange=ikev2
Windows 7 uses the IKEv2 protocol to set up the IPsec tunnel. The default value of keyexchange
is ike, which allows both IKEv1 and IKEv2, but makes charon initiate all connections with IKEv2.
- auto=add
The connection win7 is parsed and loaded by the the IKEv2 charon daemon but the VPN gateway will
act as a responder and passively wait for the Window 7 client to start the IKE negotiation.
Authentication with RSA Private Key¶
# /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA aKey.pem "f4Dgs2uY5Ne7KS0E"
If the RSA private key file stored in the /etc/ipsec.d/private/ directory is protected by
symmetric encryption, then the passphrase must be added as an additional argument.
Assignment of Internal DNS and WINS Servers¶
# /etc/strongswan.conf - strongSwan configuration file charon { dns1 = 192.168.0.100 dns2 = 192.168.0.101 nbns1 = 192.168.0.150 nbns2 = 192.168.0.151 }
Windows 7 requests internal DNS and WINS server information from the strongSwan gateway via the IKEv2 Configuration Payload (CP).
Up to two IPv4 or IPv6 DNS and WINS servers can be defined in the /etc/strongswan.conf configuration file starting with
strongSwan-4-2.12.
A better way to configure this is using the Attrplugin or attrsql plugin.