StrongSwan: Difference between revisions

(6 intermediate revisions by the same user not shown)

Line 102:

# Change the permissions of the private key, so that only root can access it:

#:<pre>chmod 600 client1Key.pem</pre>

# Now we have the private key, generate the ~~server~~ certificate:

# Now we have the private key, generate the client certificate:

#:<pre>pki --issue --in client1Key.der --type priv --cacert caCert.der --cakey caKey.der --dn "C=GB, O=strongSwan, CN=client1.freddythechick.net" --san "client1.freddythechick.net" --lifetime 1825 --outform pem> client1Cert.pem</pre>

The <code>CN</code> in the DN this time can be anything for the Windows client. No flags are required.

One of these must be created for each client you would like to connect to the server. '''Keep the CA key secure ~~but safe~~ as this will be needed each time you want to sign a client certificate.'''

One of these must be created for each client you would like to connect to the server. '''Keep the CA key secure as this will be needed each time you want to sign a client certificate.'''

== Packaging the required certificates and keys for Windows ==

Line 235:

= Configuring Windows =

This part is arguably the more trickier part of the procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time.

This part is arguably the more trickier part of the procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time. These instructions work for Windows >7.

== Installing the certificates ==

Line 258:

== Making the VPN profile ==

Windows 10 ~~has two ways of making~~ a new VPN profile, via the Control Panel or ~~via~~ the Settings App. We will be using the Control Panel method as this allows more control of the profile.

Windows >7 can make a new VPN profile via the Control Panel. Windows 10 can make a new VPN profile both via the Control Panel or the Settings App. We will be using the Control Panel method as this allows more control of the profile.

* Open the Control Panel. Change to the Large Icon view if needed.

Line 285:

== Configuring strong encryption/ECDSA for the VPN connection ==

Windows PowerShell is used to change the encryption settings for the VPN connection.

Windows PowerShell is used to change the encryption settings for the VPN connection. This only works on Windows 10 machines as these support the newer ciphers whereas Windows <10 does not support them so well.

* In the Start menu, type "powershell". [[File:Administrator_Shield.png]] Click "Windows PowerShell" when it appears. It may take a few moments for the prompt to be appear and become ready to use.

Line 316:

'''NOTE: This doesn't seem to have any effect on Windows 10 if your are manually configuring the connection with PowerShell.'''

There is a Windows registry key that may need to be enabled to allow the use of stronger encryption settings. It is not clear at this stage if these settings are required, but the instructions are left here in case they are needed.

There is a Windows registry key that may need to be enabled to allow the use of stronger encryption settings. It is not clear at this stage if these settings are required, but the instructions are left here in case they are needed. These settings are, however, needed for Windows 7 clients which falls back to weak encryption if this is not configured and is probably needed since StrongSwan doesn't support the weak ciphers proposed by Windows 7 any more.

* Press {{key press|Win~~}}+{{key press~~|R}} to open the Run box.

* Press {{key press|Win|R}} to open the Run box.

* [[File:Administrator_Shield.png]] Type <code>regedit</code> and click OK.

* Navigate to the following registry path:

@@ Line 102: / Line 102: @@
 # Change the permissions of the private key, so that only root can access it:
 #:<pre>chmod 600 client1Key.pem</pre>
-# Now we have the private key, generate the server certificate:
+# Now we have the private key, generate the client certificate:
 #:<pre>pki --issue --in client1Key.der --type priv --cacert caCert.der --cakey caKey.der --dn "C=GB, O=strongSwan, CN=client1.freddythechick.net" --san "client1.freddythechick.net" --lifetime 1825 --outform pem> client1Cert.pem</pre>
 The <code>CN</code> in the DN this time can be anything for the Windows client. No flags are required.
-One of these must be created for each client you would like to connect to the server. '''Keep the CA key secure but safe as this will be needed each time you want to sign a client certificate.'''
+One of these must be created for each client you would like to connect to the server. '''Keep the CA key secure as this will be needed each time you want to sign a client certificate.'''
 == Packaging the required certificates and keys for Windows ==
@@ Line 235: / Line 235: @@
 = Configuring Windows =
-This part is arguably the more trickier part of the procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time.
+This part is arguably the more trickier part of the procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time. These instructions work for Windows >7.
 == Installing the certificates ==
@@ Line 258: / Line 258: @@
 == Making the VPN profile ==
-Windows 10 has two ways of making a new VPN profile, via the Control Panel or via the Settings App. We will be using the Control Panel method as this allows more control of the profile.
+Windows >7 can make a new VPN profile via the Control Panel. Windows 10 can make a new VPN profile both via the Control Panel or the Settings App. We will be using the Control Panel method as this allows more control of the profile.
 * Open the Control Panel. Change to the Large Icon view if needed.
@@ Line 285: / Line 285: @@
 == Configuring strong encryption/ECDSA for the VPN connection ==
-Windows PowerShell is used to change the encryption settings for the VPN connection.
+Windows PowerShell is used to change the encryption settings for the VPN connection. This only works on Windows 10 machines as these support the newer ciphers whereas Windows <10 does not support them so well.
 * In the Start menu, type "powershell". [[File:Administrator_Shield.png]] Click "Windows PowerShell" when it appears. It may take a few moments for the prompt to be appear and become ready to use.
@@ Line 316: / Line 316: @@
 '''NOTE: This doesn't seem to have any effect on Windows 10 if your are manually configuring the connection with PowerShell.'''
-There is a Windows registry key that may need to be enabled to allow the use of stronger encryption settings. It is not clear at this stage if these settings are required, but the instructions are left here in case they are needed.
+There is a Windows registry key that may need to be enabled to allow the use of stronger encryption settings. It is not clear at this stage if these settings are required, but the instructions are left here in case they are needed. These settings are, however, needed for Windows 7 clients which falls back to weak encryption if this is not configured and is probably needed since StrongSwan doesn't support the weak ciphers proposed by Windows 7 any more.
-* Press {{key press|Win}}+{{key press|R}} to open the Run box.
+* Press {{key press|Win|R}} to open the Run box.
 * [[File:Administrator_Shield.png]] Type <code>regedit</code> and click OK.
 * Navigate to the following registry path: