How To Setup strongSwan Proxy on Single IP VPS for Windows 7 Client

Introduction

This post explains how to setup and use strongSwan with the built-in Agile VPN Client in Windows 7.  This setup will create a IKEv2 IPsec tunnel with EAP-MS-CHAPv2 authentication.  This simply means you’ll have usernames and passwords, and everything will be authenticated and encrypted.  This setup is not the easiest, but it allows you to use the built-in VPN client in Windows 7 without any additional software.

Requirements

  • Clients running Windows 7.  This does not work with older versions of Windows.  You’ll need administrator privileges to install a certificate authority.
  • Sever running Linux.  I run Debian 5 on a 512MB VPS.  Low-end VPS’s can be had at low monthly rates, and are more than enough to power a VPN.  You will need to get one with enough bandwidth for your needs.
    • strongSwan – your VPN server / aggregator / gateway
    • OpenSSL – to create the certificates
    • iptables – for NATing the traffic from the client
    • iptables-persistent – to make the NAT persistent.

Instructions

The instructions are broken out into sections that you may skip if it doesn’t apply to you or you already know how to accomplish the task.

Create Certificates

The VPN client authenticates the VPN server by way of a certificate.  These two steps are only necessary if you don’t already have the proper certificate for the VPN.

Create Certificate Authority (CA) Certificate

Generate the private key

openssl genrsa -des3 -out ca.key 4096

Generate the certificate request.  The answers to the questions aren’t relevant.  Common name (CN) is generally displayed so give that a useful name.

openssl req -new -key ca.key -out ca.csr

Sign the certificate request with the private key, in essence, creating the certificate.  This also adds on other information, such as expiration time.

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Create VPN Server Certificate

The first two steps are the same.  Create private key.

openssl genrsa -des3 -out server.key 4096

Create the certificate request.  This time, the CN must be the FQDN of the VPN host.

openssl req -new -key server.key -out server.csr

The VPN certificate must have some special attributes set in order for Windows 7 to accept it.  Create gateway.conf with the following contents, with “<FQDN>” replaced with the FQDN, the same as the CN from above.

extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2
subjectAltName = DNS:<FQDN>

Sign the certificate request with the CA private key and certificate.  This also adds on the additional info including that from the gateway.conf above.

openssl x509 -req -days 365 -in server.csr -CA ca.crt \
 -CAkey ca.key -set_serial 01 -out server.crt -extfile gateway.conf

Setup strongSwan

I installed strongSwan from the Debian backports, because the version in stable is too old and does not support EAP-MS-CHAPv2.  strongSwan has good documentation about setting it up for Windows 7.  The specific guide you want is under “B” entitled “Configuring strongSwan for multiple Windows 7 clients“. Rather than duplicate that instructions, I’ll detail the differences between their setup and mine.

  • The file names used in the config need to replaced with the ones generated above.  vpnCert.pem is server.crt, vpnKey.pem is server.key.  Copy those two files into the locations described by strongSwan’s instruction.
  • Add the following line, so strongSwan will insert iptable rules to bypass NAT.
config win7
   leftfirewall=yes

Setup NAT

The setup I’m describing and using involves just one Ethernet adapter on the VPN server.  This is different than the traditional set-up where the VPN has one adapter that’s publicly visible and one that communicates with the internal network.  In the setup described above for strongSwan, your Windows 7 clients will be given a virtual IP address.  It is now necessary to NAT between these virtual IP addresses and the outside Internet.

Note: My instructions only work if your ipchains default policy is all set to ACCEPT.  You will need to add more rules to the FORWARD chain if that chain is setup to DROP.

Enable IPv4 forwarding in the kernel.  You can do this by the following statement:

echo 1 > /proc/sys/net/ipv4/ip_forward

However, to make it persistent, ie do it automatically on reboot, modify /etc/sysctl.conf and uncomment the equivalent line.

Next, enable the NAT.  Replace the placeholder with the actual IP address of the VPN server.

iptables -A POSTROUTING -t NAT -j SNAT --to-source <VPN IP Adress>

This line tells netfilter to rewrite packets so the source IP is replaced with the VPN’s IP address.

Setup Windows 7 Client

The above instructions all pertained to the VPN server and only needs to be done once.  The following needs to be done for each Windows 7 client.

Install CA Certificate

Simply follow the guide from strongSwan documentation.  The certificate is ca.crt created above in the section for creating certificates.

Create VPN Connection

Simply follow the guide from strongSwan documentation.  It is important to specifically choose IKEv2 as mentioned in the bottom of the documentation.  While IKEv2 should be tried first and succeed, if it does not, the client will fallback to other methods which will generate error messages that will only confuse you.

Troubleshoot

Voila, you should now be able to connect to your VPN and access the Internet through the VPN.  You can verify this by tracerouting to a website and see if the next hop is your VPN server.

If you can’t connect, then verify strongSwan is running and can understand your config.  Verify the correct certificates and keys are provided to strongSwan and that the CA’s certificate is imported into Windows.

If you can connect, but data is going through you can run tcpdump on the VPN server to see if it’s getting the encrypted data (ESP), decrypted  payload (coming from the virtual ip address), and NAT-ed packet.  This means for every request, including ping, from the client, you’ll see 3 packets in tcpdump.

References

Advertisements
This entry was posted in Computer, Tips. Bookmark the permalink.

2 Responses to How To Setup strongSwan Proxy on Single IP VPS for Windows 7 Client

  1. sedlin says:

    Thanks for nice and simple guide how to strongswan get working! 2 days of getting info about strongswan and finally I found your site! My vpn works now! Thanks.

  2. guyzer says:

    I was hoping to get a bit of help. I continue to get an error with the gateway.conf. I was unsure of where to create it so I just “sudo vi gateway.conf” and copied and pasted the info into it. the command then executed after this but gave me this…

    ubuntu@ip-10-252-45-16:~$ openssl x509 -req -days 365 -in ec2-50-112-64-203.us-west-2.compute.amazonaws.com.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ec2-50-112-64-203.us-west-2.compute.amazonaws.com.crt -extfile gateway.conf
    Error Loading extension section default
    139967821465248:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:124:
    139967821465248:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=age, value=serverAuth, 1.3.6.1.5.5.8.2.2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s