This post explains how to setup and use strongSwan with the built-in Agile VPN Client in Windows 7. This setup will create a IKEv2 IPsec tunnel with EAP-MS-CHAPv2 authentication. This simply means you’ll have usernames and passwords, and everything will be authenticated and encrypted. This setup is not the easiest, but it allows you to use the built-in VPN client in Windows 7 without any additional software.
- Clients running Windows 7. This does not work with older versions of Windows. You’ll need administrator privileges to install a certificate authority.
- Sever running Linux. I run Debian 5 on a 512MB VPS. Low-end VPS’s can be had at low monthly rates, and are more than enough to power a VPN. You will need to get one with enough bandwidth for your needs.
- strongSwan – your VPN server / aggregator / gateway
- OpenSSL – to create the certificates
- iptables – for NATing the traffic from the client
- iptables-persistent – to make the NAT persistent.
The instructions are broken out into sections that you may skip if it doesn’t apply to you or you already know how to accomplish the task.
The VPN client authenticates the VPN server by way of a certificate. These two steps are only necessary if you don’t already have the proper certificate for the VPN.
Create Certificate Authority (CA) Certificate
Generate the private key
openssl genrsa -des3 -out ca.key 4096
Generate the certificate request. The answers to the questions aren’t relevant. Common name (CN) is generally displayed so give that a useful name.
openssl req -new -key ca.key -out ca.csr
Sign the certificate request with the private key, in essence, creating the certificate. This also adds on other information, such as expiration time.
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Create VPN Server Certificate
The first two steps are the same. Create private key.
openssl genrsa -des3 -out server.key 4096
Create the certificate request. This time, the CN must be the FQDN of the VPN host.
openssl req -new -key server.key -out server.csr
The VPN certificate must have some special attributes set in order for Windows 7 to accept it. Create gateway.conf with the following contents, with “<FQDN>” replaced with the FQDN, the same as the CN from above.
extendedKeyUsage = serverAuth, 126.96.36.199.188.8.131.52.2 subjectAltName = DNS:<FQDN>
Sign the certificate request with the CA private key and certificate. This also adds on the additional info including that from the gateway.conf above.
openssl x509 -req -days 365 -in server.csr -CA ca.crt \ -CAkey ca.key -set_serial 01 -out server.crt -extfile gateway.conf
I installed strongSwan from the Debian backports, because the version in stable is too old and does not support EAP-MS-CHAPv2. strongSwan has good documentation about setting it up for Windows 7. The specific guide you want is under “B” entitled “Configuring strongSwan for multiple Windows 7 clients“. Rather than duplicate that instructions, I’ll detail the differences between their setup and mine.
- The file names used in the config need to replaced with the ones generated above. vpnCert.pem is server.crt, vpnKey.pem is server.key. Copy those two files into the locations described by strongSwan’s instruction.
- Add the following line, so strongSwan will insert iptable rules to bypass NAT.
config win7 leftfirewall=yes
The setup I’m describing and using involves just one Ethernet adapter on the VPN server. This is different than the traditional set-up where the VPN has one adapter that’s publicly visible and one that communicates with the internal network. In the setup described above for strongSwan, your Windows 7 clients will be given a virtual IP address. It is now necessary to NAT between these virtual IP addresses and the outside Internet.
Note: My instructions only work if your ipchains default policy is all set to ACCEPT. You will need to add more rules to the FORWARD chain if that chain is setup to DROP.
Enable IPv4 forwarding in the kernel. You can do this by the following statement:
echo 1 > /proc/sys/net/ipv4/ip_forward
However, to make it persistent, ie do it automatically on reboot, modify /etc/sysctl.conf and uncomment the equivalent line.
Next, enable the NAT. Replace the placeholder with the actual IP address of the VPN server.
iptables -A POSTROUTING -t NAT -j SNAT --to-source <VPN IP Adress>
This line tells netfilter to rewrite packets so the source IP is replaced with the VPN’s IP address.
Setup Windows 7 Client
The above instructions all pertained to the VPN server and only needs to be done once. The following needs to be done for each Windows 7 client.
Install CA Certificate
Simply follow the guide from strongSwan documentation. The certificate is ca.crt created above in the section for creating certificates.
Create VPN Connection
Simply follow the guide from strongSwan documentation. It is important to specifically choose IKEv2 as mentioned in the bottom of the documentation. While IKEv2 should be tried first and succeed, if it does not, the client will fallback to other methods which will generate error messages that will only confuse you.
Voila, you should now be able to connect to your VPN and access the Internet through the VPN. You can verify this by tracerouting to a website and see if the next hop is your VPN server.
If you can’t connect, then verify strongSwan is running and can understand your config. Verify the correct certificates and keys are provided to strongSwan and that the CA’s certificate is imported into Windows.
If you can connect, but data is going through you can run tcpdump on the VPN server to see if it’s getting the encrypted data (ESP), decrypted payload (coming from the virtual ip address), and NAT-ed packet. This means for every request, including ping, from the client, you’ll see 3 packets in tcpdump.