StrongSwan: Difference between revisions

Line 24:

Allow any dependencies the packages asks for.

IKEv2 requires port 500 and 4500 to be port forwarded/opened in the firewall.

= Creating the certificates =

Line 94:

Line 96:

#:<pre>openssl pkcs12 -export -inkey private/client1key.pem -in certs/client1cert.pem -name "Windows Client 1 VPN Certificate" -certfile cacerts/CAcert.pem -caname "strongSwan Root CA" -out client1.p12</pre>

# Type a password you will remember when asked. This will protect the private key while it is in transit.

# Retype the ~~passsword~~ you just typed.

# Retype the password you just typed.

The name field gives the certificate a friendly name when installed in Windows and can be anything. The p12 file needs to be copied locally to the Windows machine that the certificates and keys need installing on.

= Configuring strongSwan =

Configuration is carried out in <code>/etc/ipsec.conf</code> and <code>/etc/ipsec.secrets</code>. These basic code snippets will be enough to get the VPN tunnel working, but can be tweaked and configured to your requirements.

== <code>/etc/ipsec.conf</code> ==

conn windows

leftcert=servercert.pem

leftsubnet=0.0.0.0/0

esp=aes256gcm16!

rightsourceip=10.126.127.0/24

keyechange=ikev2

auto=add

* In this instance, left is the server and right are the hosts.

* <code>leftsubnet=0.0.0.0/0</code> forwards everything over the tunnel. If you want to narrow this to only your network and not everything (including the internet), this can be narrowed. For example, <code>leftsubnet=192.168.0.0/24</code>.

== <code>/etc/ipsec.secrets</code>

This file points to the private key of the server.

%any : ECDSA serverkey.pem

= Configuring Windows =

This part is arguably the ~~trickiest~~ part of the ~~whole~~ procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time.

This part is arguably the more trickier part of the procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time.

== Installing the certificates ==

Before we can install the certificate, the .p12 file we generated earlier must be copied locally to the computer it will be installed on. They don't seem to install properly when you try installing from a network share.

Remember that each client must have its own certificate generated. Certificates should not be reused for other machines.

* Double-click on the .p12 certificate file.

* On the first "Welcome to the Certificate Import Wizard" page, change the "Store Location" from Current User to Local Machine.

* Click Next. You may have to provide Administrator credentials to continue.

* The file name provided should be OK. Click Next.

* In the password box, type the password you provided to generate the file earlier. Make sure the "Include all extended properties." check box is ticked.

* If you would like to be able to backup the certificate later, you may want to check the "Mark this key as exportable. This will allow you to back up or transport your keys at a later time." check box. Bearing in mind, if you have the certificates and keys on the server, these can be exported at a later time if needed. If this text box is not ticked, your private key is kept secure if, for example, your computer was stolen.

* Click Next.

* The radio box should be in "Automatically select the certificate store based on the type of certificate" box. This is OK.

* Click Next.

* On the "Completing the Certificate Import Wizard" page, click Finish. You should get a prompt saying the import was successful. This will complete the import.

For the certificates to be found by the VPN client, they must be installed in the Computer store, not the User store. Hence, make sure the "Store Location" is changed from Current User to Local Machine.

== Making the VPN profile ==

Windows 10 has two ways of making a new VPN profile, via the Control Panel or via the Settings App. We will be using the Control Panel method as this allows more control of the profile.

* Open the Control Panel. Change to the Large Icon view if needed.

* Click Network and Sharing Centre.

* Under your active networks section, in the "Change your network settings" section, click "Set up a new connection or network".

* Under "Choose a connection option", click "Connect to a workplace". Then click Next.

* Under "How do you want to connect?", click "Use my Internet connection (VPN)".

* In the Internet address box, type your DNS name to your VPN server.

* In the Destination name box, give your profile a name of your choosing.

* Make sure the "Allow other people to use this connection" tick box is checked. You may need administrator credentials to continue.

* Click Create. Your new profile will then be created.

We must now set the connection to use IKEv2.

* In the previous Network and Sharing Centre window, click Change adapter settings, down the left hand side.

* There will be a new connection created here with the name you gave it earlier. Right click on the connection and click Properties. You may need administrator credentials to change this.

* Click on the Security tab.

@@ Line 24: / Line 24: @@
 Allow any dependencies the packages asks for.
+IKEv2 requires port 500 and 4500 to be port forwarded/opened in the firewall.
 = Creating the certificates =
@@ Line 94: / Line 96: @@
 #:<pre>openssl pkcs12 -export -inkey private/client1key.pem -in certs/client1cert.pem -name "Windows Client 1 VPN Certificate" -certfile cacerts/CAcert.pem -caname "strongSwan Root CA" -out client1.p12</pre>
 # Type a password you will remember when asked. This will protect the private key while it is in transit.
-# Retype the passsword you just typed.
+# Retype the password you just typed.
 The name field gives the certificate a friendly name when installed in Windows and can be anything. The p12 file needs to be copied locally to the Windows machine that the certificates and keys need installing on.
 = Configuring strongSwan =
+Configuration is carried out in <code>/etc/ipsec.conf</code> and <code>/etc/ipsec.secrets</code>. These basic code snippets will be enough to get the VPN tunnel working, but can be tweaked and configured to your requirements.
+== <code>/etc/ipsec.conf</code> ==
+ conn windows
+      leftcert=servercert.pem
+      leftsubnet=0.0.0.0/0
+      esp=aes256gcm16!
+      rightsourceip=10.126.127.0/24
+      keyechange=ikev2
+      auto=add
+* In this instance, left is the server and right are the hosts.
+* <code>leftsubnet=0.0.0.0/0</code> forwards everything over the tunnel. If you want to narrow this to only your network and not everything (including the internet), this can be narrowed. For example, <code>leftsubnet=192.168.0.0/24</code>.
+== <code>/etc/ipsec.secrets</code>
+This file points to the private key of the server.
+ %any : ECDSA serverkey.pem
 = Configuring Windows =
-This part is arguably the trickiest part of the whole procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time.
+This part is arguably the more trickier part of the procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time.
+== Installing the certificates ==
+Before we can install the certificate, the .p12 file we generated earlier must be copied locally to the computer it will be installed on. They don't seem to install properly when you try installing from a network share.
+Remember that each client must have its own certificate generated. Certificates should not be reused for other machines.
+* Double-click on the .p12 certificate file.
+* On the first "Welcome to the Certificate Import Wizard" page, change the "Store Location" from Current User to Local Machine.
+* Click Next. You may have to provide Administrator credentials to continue.
+* The file name provided should be OK. Click Next.
+* In the password box, type the password you provided to generate the file earlier. Make sure the "Include all extended properties." check box is ticked.
+* If you would like to be able to backup the certificate later, you may want to check the "Mark this key as exportable. This will allow you to back up or transport your keys at a later time." check box. Bearing in mind, if you have the certificates and keys on the server, these can be exported at a later time if needed. If this text box is not ticked, your private key is kept secure if, for example, your computer was stolen.
+* Click Next.
+* The radio box should be in "Automatically select the certificate store based on the type of certificate" box. This is OK.
+* Click Next.
+* On the "Completing the Certificate Import Wizard" page, click Finish. You should get a prompt saying the import was successful. This will complete the import.
+For the certificates to be found by the VPN client, they must be installed in the Computer store, not the User store. Hence, make sure the "Store Location" is changed from Current User to Local Machine.
+== Making the VPN profile ==
+Windows 10 has two ways of making a new VPN profile, via the Control Panel or via the Settings App. We will be using the Control Panel method as this allows more control of the profile.
+* Open the Control Panel. Change to the Large Icon view if needed.
+* Click Network and Sharing Centre.
+* Under your active networks section, in the "Change your network settings" section, click "Set up a new connection or network".
+* Under "Choose a connection option", click "Connect to a workplace". Then click Next.
+* Under "How do you want to connect?", click "Use my Internet connection (VPN)".
+* In the Internet address box, type your DNS name to your VPN server.
+* In the Destination name box, give your profile a name of your choosing.
+* Make sure the "Allow other people to use this connection" tick box is checked. You may need administrator credentials to continue.
+* Click Create. Your new profile will then be created.
+We must now set the connection to use IKEv2.
+* In the previous Network and Sharing Centre window, click Change adapter settings, down the left hand side.
+* There will be a new connection created here with the name you gave it earlier. Right click on the connection and click Properties. You may need administrator credentials to change this.
+* Click on the Security tab.