StrongSwan: Difference between revisions

Line 117:

* <code>leftsubnet=0.0.0.0/0</code> forwards everything over the tunnel. If you want to narrow this to only your network and not everything (including the internet), this can be narrowed. For example, <code>leftsubnet=192.168.0.0/24</code>.

== <code>/etc/ipsec.secrets</code>

== <code>/etc/ipsec.secrets</code> ==

This file points to the private key of the server.

Line 159:

* Make sure the "Allow other people to use this connection" tick box is checked. You may need administrator credentials to continue.

* Click Create. Your new profile will then be created.

Remember that the DNS name you type here '''MUST''' match the DNS name you specified eariler on the certificate under <code>CN</code> in the DN and the SAN.

You '''MUST''' click the "Allow other people to use this connection" tick box so that it becomes a system wide connection and it can use the Machine Certificates.

We must now set the connection to use IKEv2.

Line 165:

Line 169:

* There will be a new connection created here with the name you gave it earlier. Right click on the connection and click Properties. You may need administrator credentials to change this.

* Click on the Security tab.

* Under the "Type of VPN" dropdown menu, change the type to IKEv2. The options under "Authentication" should change. Click and select the Use machine certificates radio button. Then click OK.

The connection is now ready.

== Configuring strong encryption/ECDSA for the VPN connection ==

Windows PowerShell is used to change the encryption settings for the VPN connection.

* In the Start menu, type "powershell". Click "Windows PowerShell" when it appears. It may take a few moments for the prompt to be appear and become ready to use.

* The following code snippet needs to be typed in to change the encryption settings for the VPN settings

Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN Connection" -AuthenticationTransformConstant

s GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA384 -DHGroup ECP384

-PfsGroup none -PassThru -AllUserConnection

* Press the Enter key.

* Type Y to confirm the settings and press the Enter key.

* The following will be returned by PowerShell:

AuthenticationTransformConstants : GCMAES256

CipherTransformConstants : GCMAES256

DHGroup : ECP384

IntegrityCheckMethod : SHA384

PfsGroup : None

EncryptionMethod : GCMAES256

* The connection should now be ready to use!

= Miscellanious Settings =

There is a Windows registry key that may need to be enabled to allow the use of stronger encryption settings. It is not clear at this stage if these settings are required, but the instructions are left here in case they are needed.

* Press WinKey+R to open the Run box.

* Type <code>regedit</code> and click OK. Administrator credentials may be required to open this program.

* Navigate to the following registry path:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\

* Right-click in the right pane, hover over New and click DWORD (32-bit) Value.

* Give the new key the name <code>NegotiateDH2048_AES256</code>.

* Double-click the key to open the key. In the value box, change the 0 to a 2. Click OK.

* Close the Registry Editor

* Restart the machine.

@@ Line 117: / Line 117: @@
 * <code>leftsubnet=0.0.0.0/0</code> forwards everything over the tunnel. If you want to narrow this to only your network and not everything (including the internet), this can be narrowed. For example, <code>leftsubnet=192.168.0.0/24</code>.
-== <code>/etc/ipsec.secrets</code>
+== <code>/etc/ipsec.secrets</code> ==
 This file points to the private key of the server.
@@ Line 159: / Line 159: @@
 * Make sure the "Allow other people to use this connection" tick box is checked. You may need administrator credentials to continue.
 * Click Create. Your new profile will then be created.
+Remember that the DNS name you type here '''MUST''' match the DNS name you specified eariler on the certificate under <code>CN</code> in the DN and the SAN.
+You '''MUST''' click the "Allow other people to use this connection" tick box so that it becomes a system wide connection and it can use the Machine Certificates.
 We must now set the connection to use IKEv2.
@@ Line 165: / Line 169: @@
 * There will be a new connection created here with the name you gave it earlier. Right click on the connection and click Properties. You may need administrator credentials to change this.
 * Click on the Security tab.
+* Under the "Type of VPN" dropdown menu, change the type to IKEv2. The options under "Authentication" should change. Click and select the Use machine certificates radio button. Then click OK.
+The connection is now ready.
+== Configuring strong encryption/ECDSA for the VPN connection ==
+Windows PowerShell is used to change the encryption settings for the VPN connection.
+* In the Start menu, type "powershell".  Click "Windows PowerShell" when it appears. It may take a few moments for the prompt to be appear and become ready to use.
+* The following code snippet needs to be typed in to change the encryption settings for the VPN settings
+ Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN Connection" -AuthenticationTransformConstant
+s GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA384 -DHGroup ECP384
+ -PfsGroup none -PassThru -AllUserConnection
+* Press the Enter key.
+* Type Y to confirm the settings and press the Enter key.
+* The following will be returned by PowerShell:
+ AuthenticationTransformConstants : GCMAES256
+ CipherTransformConstants         : GCMAES256
+ DHGroup                          : ECP384
+ IntegrityCheckMethod             : SHA384
+ PfsGroup                         : None
+ EncryptionMethod                 : GCMAES256
+* The connection should now be ready to use!
+= Miscellanious Settings =
+There is a Windows registry key that may need to be enabled to allow the use of stronger encryption settings. It is not clear at this stage if these settings are required, but the instructions are left here in case they are needed.
+* Press WinKey+R to open the Run box.
+* Type <code>regedit</code> and click OK. Administrator credentials may be required to open this program.
+* Navigate to the following registry path:
+ HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\
+* Right-click in the right pane, hover over New and click DWORD (32-bit) Value.
+* Give the new key the name <code>NegotiateDH2048_AES256</code>.
+* Double-click the key to open the key. In the value box, change the 0 to a 2. Click OK.
+* Close the Registry Editor
+* Restart the machine.