2. generate certificates using the following commands (change vpn.example.com to your actual domain name or IP address) (Source: http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801)
ipsec pki --gen --type rsa --size 4096 --outform pem > vpnca.key.pem
ipsec pki --self --flag serverAuth --in vpnca.key.pem --type rsa --digest sha1 \
--dn "C=US, O=Example Company, CN=Example VPN CA" --ca > vpnca.crt.der
ipsec pki --gen --type rsa --size 4096 --outform pem > vpn.example.com.key.pem
ipsec pki --pub --in vpn.example.com.key.pem --type rsa > vpn.example.com.csr
ipsec pki --issue --cacert vpnca.crt.der --cakey vpnca.key.pem --digest sha1 \
--dn "C=US, O=Example Company, CN=vpn.example.com" \
--san "vpn.example.com" --flag serverAuth --outform pem \
< vpn.example.com.csr > vpn.example.com.crt.pem
openssl rsa -in vpn.example.com.key.pem -out vpn.example.com.key.der -outform DER
sudo cp vpnca.crt.der /etc/ipsec.d/cacerts
sudo cp vpn.example.com.crt.pem /etc/ipsec.d/certs
sudo cp vpn.example.com.key.der /etc/ipsec.d/private
3. import the above vpnca.crt.der file to your windows certificate store (as CER file). To install the trusted CA certificate locally, call up the Microsoft Management Console (mmc) and add the Certificates Snap-In. Then, It is of the utmost importance that you select Computer account, Go into the Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates folder,and select the Import action which will start the Certificate Import Wizard (https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapCert)
4. Edit /etc/ipsec.conf to be as follows: (source: https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig)
# ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
keyexchange=ikev2
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
conn win7
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=vpnCert.pem
leftid=@vpn.strongswan.org
right=%any
rightsourceip=10.10.3.0/24
rightauth=eap-mschapv2
#rightsendcert=never # see note
eap_identity=%any
auto=add
5. Edit /etc/strongswan.conf to be as follows:
charon {
dns1 = 8.8.8.8
dns2 = 4.2.2.1
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
6. Edit /etc/ipsec.secrets to be as follows (make sure there is a space between the name and the ":", otherwise strongswan won't recognize the name):
: RSA vpn.example.com.key.der carol : EAP "abcd1234" dave : EAP "fghj5678"
7. ipsec start; and then use ipsec status/statusall to check status;
8. Change server ip_forward to 1; and add NAT rule:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
9.Server configuration is complete. Follow this guide to configure your Windows 7 client: http://support.purevpn.com/how-to-setup-purevpn-manually-on-windows-7-ikev2 or this guide: https://supportforums.cisco.com/document/98366/flexvpn-ikev2-windows-7-builtin-client-ios-headend-part-i-certificate-authentication
No comments:
Post a Comment