Strongwan IKEv2 VPN for Windows 7
We will build a IKEv2 VPN for Windows 7 using strongSwan and client authenticate itself using MSCHAPv2.
Software
- Slackware 13.37
- strongsWan
- Freeradius
- samba & ldap
Infrastructure Design
Simply, leftsubnet, whole private network, will be use whole 192.168.0.0/16 block and rightsubnet, all IKEv2 road-warrior, will be assign 192.168.76.0/22.
strongSwan
Installation
Configuration
/usr/local/strongswan/etc/ipsec.conf
config setup
nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
left=%defaultroute
leftauth=pubkey
leftcert=/usr/local/strongswan/etc/duo-cert.pem
right=%any
rightauth=eap-radius
rightsendcert=never
eap_identity=%any
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rightsourceip=192.168.76.0/22
# rightsourceip=%dhcp
leftsubnet=192.168.0.0/16
# leftsourceip=%config
Window will narrow down the traffic thru VPN as the IP range defined in the leftsubnet. To let your gateway route all traffic for Windows, you could use 0.0.0.0/0
/usr/local/strongswan/etc/strongswan.conf
In plugin session,
charon {
dns1 = 192.168.1.1
nbns1 = 192.168.1.1
threads = 16
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
# dhcp {
# server = 192.168.1.1
# }
eap-radius {
servers {
vpnserver {
secret = xxxxxxxx
address = 127.0.0.1
}
}
}
}
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
Windows client
Install & trust the gateway cert issuer in Windows.