Project

General

Profile

strongSwan Configuration for Multiple Windows 7 Clients with User Certificates

Connection Definitions

# ipsec.conf - strongSwan IPsec configuration file

conn win7
     leftcert=aCert.pem
     leftauth=pubkey
     leftsubnet=192.168.0.0/24
     right=%any
     rightauth=eap-tls
     rightsendcert=never
     rightsourceip=192.168.1.0/24
     eap_identity=%any
     keyexchange=ikev2
     auto=add
  • leftcert=aCert.pem
    The X.509 certificate of the VPN gateway stored per default in the /etc/ipsec.d/certs/ directory.
  • leftauth=pubkey
    Unlike strongSwan, Windows does not support mutual EAP authentication (RFC 5998), so the server is authenticated with regular public key authentication.
  • rightauth=eap-tls
    Use EAP-TLS to authenticate the client with certificates. Requires the eap-tls plugin (client authentication can also be delegated to a separate RADIUS server using the eap-radius plugin).
  • leftsubnet=192.168.0.0/24
    The protected network hidden behind the VPN gateway. The Windows 7 client always sends a
    0.0.0.0/0 traffic selector that is automatically narrowed by the VPN gateway to
    the actual leftsubnet definition. Multiple traffic selectors of the form
    leftsubnet=192.168.0.0/24,192.168.2.0/24 are also possible. If all IP traffic is
    to be tunneled, define leftsubnet=0.0.0.0/0.
  • right=%any
    Since the IP address of a Windows 7 remote access client is usually assigned dynamically
    by the current ISP, any peer address is accepted. If no rightid is defined, then any
    peer presenting a certificate signed by one of the trusted authorities stored in
    /etc/ipsec.d/cacerts/ will be accepted.
  • rightsendcert=never
    No certificates are expected during the IKE exchange itself (they are sent in the EAP-TLS exchange),
    this prevents the daemon from sending certificate requests for installed CA certificates.
  • rightsourceip=192.168.1.0/24
    Windows 7 clients always request a virtual IP address via the IKEv2 configuration payload (CP).
    The VPN gateway automatically assigns virtual IP addresses out of an address pool defined by rightsourceip.
  • eap_identity=%any
    The strongSwan gateway is using the EAP Identity protocol to request an EAP identity different from
    the peer's IKEv2 identity.
  • keyexchange=ikev2
    Windows 7 uses the IKEv2 protocol to set up the IPsec tunnel. The default value of keyexchange
    is ikev1.
  • auto=add
    The connection win7 is parsed and loaded by the the IKEv2 charon daemon but the VPN gateway will
    act as a responder and passively wait for the Window 7 client to start the IKE negotiation.

Authentication with RSA Private Key

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA aKey.pem "f4Dgs2uY5Ne7KS0E" 

If the RSA private key file stored in the /etc/ipsec.d/private/ directory is protected by
symmetric encryption, then the passphrase must be added as an additional argument.

Assignment of Internal DNS and WINS Servers

# /etc/strongswan.conf - strongSwan configuration file

charon {
  dns1 = 192.168.0.100
  dns2 = 192.168.0.101
  nbns1 = 192.168.0.150
  nbns2 = 192.168.0.151
}

Windows 7 requests internal DNS and WINS server information from the strongSwan gateway via the IKEv2 Configuration Payload (CP).
DNS servers can also be assigned with the rightdns option in ipsec.conf since 5.0.1.