2. generate certificates using the following commands (change vpn.example.com to your actual domain name or IP address) (Source: http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801)
ipsec pki --gen --type rsa --size 4096 --outform pem > vpnca.key.pem
ipsec pki --self --flag serverAuth --in vpnca.key.pem --type rsa --digest sha1 \
--dn "C=US, O=Example Company, CN=Example VPN CA" --ca > vpnca.crt.der
ipsec pki --gen --type rsa --size 4096 --outform pem > vpn.example.com.key.pem
ipsec pki --pub --in vpn.example.com.key.pem --type rsa > vpn.example.com.csr
ipsec pki --issue --cacert vpnca.crt.der --cakey vpnca.key.pem --digest sha1 \
--dn "C=US, O=Example Company, CN=vpn.example.com" \
--san "vpn.example.com" --flag serverAuth --outform pem \
< vpn.example.com.csr > vpn.example.com.crt.pem
openssl rsa -in vpn.example.com.key.pem -out vpn.example.com.key.der -outform DER
sudo cp vpnca.crt.der /etc/ipsec.d/cacerts
sudo cp vpn.example.com.crt.pem /etc/ipsec.d/certs
sudo cp vpn.example.com.key.der /etc/ipsec.d/private
3. import the above vpnca.crt.der file to your windows certificate store (as CER file). To install the trusted CA certificate locally, call up the Microsoft Management Console (mmc) and add the Certificates Snap-In. Then, It is of the utmost importance that you select Computer account, Go into the Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates folder,and select the Import action which will start the Certificate Import Wizard (https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapCert)
4. Edit /etc/ipsec.conf to be as follows: (source: https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig)
# ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default keyexchange=ikev2 ike=aes128-sha1-modp1024! esp=aes128-sha1! dpdaction=clear dpddelay=300s rekey=no conn win7 left=%any leftsubnet=0.0.0.0/0 leftauth=pubkey leftcert=vpnCert.pem leftid=@vpn.strongswan.org right=%any rightsourceip=10.10.3.0/24 rightauth=eap-mschapv2 #rightsendcert=never # see note eap_identity=%any auto=add
5. Edit /etc/strongswan.conf to be as follows:
charon { dns1 = 8.8.8.8 dns2 = 4.2.2.1 load_modular = yes plugins { include strongswan.d/charon/*.conf } }
6. Edit /etc/ipsec.secrets to be as follows (make sure there is a space between the name and the ":", otherwise strongswan won't recognize the name):
: RSA vpn.example.com.key.der carol : EAP "abcd1234" dave : EAP "fghj5678"
7. ipsec start; and then use ipsec status/statusall to check status;
8. Change server ip_forward to 1; and add NAT rule:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
9.Server configuration is complete. Follow this guide to configure your Windows 7 client: http://support.purevpn.com/how-to-setup-purevpn-manually-on-windows-7-ikev2 or this guide: https://supportforums.cisco.com/document/98366/flexvpn-ikev2-windows-7-builtin-client-ios-headend-part-i-certificate-authentication
No comments:
Post a Comment