This is an easy to follow how-to guide to connecting Windows Vista with a strongSwan IPsec gateway.
Comment: No dyndns support¶
As Windows Vista will only allow you to specify endpoints by IP, it seems to be impossible to connect to servers with dynamic IP-addresses, you have to use third-party IPSec implementations in this case. Furthermore, the scenario should be tweaked so that the IP address of the road warrior is not fixed.
Road Warrior Scenario (PSK)¶
The scenario we want to implement is that of a typical road warrior. strongSwan is used as gateway (moon) and Windows Vista will serve as road warrior (carol). A pre-shared key (PSK) will be used to authenticate the two parties. The gateway will provide access to the 10.1.0.0/16 network. This situation is shown in the following image.
The required configuration in /etc/ipsec.conf is as follow:
conn vista left=%defaultroute leftsubnet=10.1.0.0/16 right=%any authby=secret auto=add
Since Windows Vista does not implement Perfect Forward Secrecy it's important to add pfs=no when using the old IKEv1 daemon pluto. With 5.x you may not configure any DH group in the ESP proposal.
The PSK is stored in /etc/ipsec.secrets:
: PSK "strongSwan"
Windows Vista Configuration¶
IPsec in Vista is configured in a Microsoft Management Console (MMC) module called Windows Firewall with Advanced Security. This module is started via Control Panel - Administrative Tools or directly by running wf.msc. The following screenshot shows the first option (click the image to view it in its original size).
The window shown in the next screenshot should show up.
General IPsec Settings¶
As illustrated in the above screenshot, we first have to configure some general settings. So, right-click the root node and select Properties. In the dialog that shows up, select the tab IPsec Settings and click Customize... (see next screenshots). What we want to change are the Quick Mode settings - select Advanced and click Customize....
By default Vista tries to create an AH Child SA. Since we want our Child SA to be secured by ESP, tick the corresponding checkbox, as shown in the next screen capture.
Confirm all dialogs with OK.
Creating a Connection Security Rule¶
Now, we are ready to create a new Connection Security Rule. Select the equally named item in the tree and click New Rule... in the actions pane on the right.
This loads the wizard shown in the next screenshot. What we like to create is a Tunnel - select that option and click Next >.
The next page of the wizard is the most important one. It defines which networks need to be secured and between what hosts the tunnel shall be created. We want all traffic between our host (referring to the overview, 192.168.0.100) and the 10.1.0.0/16 network to be secured. The tunnel is between our host and the gateway (192.168.0.1). It is important to provide the exact same settings as defined in the /etc/ipsec.conf, it won't work otherwise. Click next if you are done.
As defined in the strongSwan configuration, authentication is done by PSK. Select that option and type in the key (again, this has to be exactly the same as in /etc/ipsec.secrets).
Just confirm the next wizard page by clicking Next > and, finally, choose a name and click Finish.
That's it. If you want to check whether there is currently an active connection, expand Monitoring and then Security Associations in the left tree and check whether there are any Main or Quick Mode SAs established.
Testing the Setup¶
To test the setup we need to generate traffic between Vista and one of the hosts in the target network. A simple ping 10.1.0.1 should do and should produce something similar to the following output.
Note that the first ping just serves as a trigger to initiate the IPsec connection.