wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


en:configuration:services:ipsec:example_configuration-_roadwarrior_with_windows

Example Configuration - Roadwarrior with Windows

  • Windows 7 was used to create this example configuration
  • This configuration was also tested with Windows 8.1

First step - Generate certificates

  • Go to “Services > IPSec”
  • Edit the “Global Settings”
    • “Public IP or FQDN”: Enter your public domain name (or IP)
    • “Host-to-Net Virtual Private Network (RoadWarrior)”: Enter the IP range that clients will get an IP from
    • Check “Enabled”
    • Click “Save”
  • Click “Generate root/host certificates”
    • Fill in the form to generate the certificates
      • “Organization Name”: Choose a name
      • “IPFire's Hostname”: DNS-Name of the IPFire device
      • “Subject Alt Name”: Used for alternative domain names
      • Click “Generate root/host certificate”
  • “Connection Status and -Control”
    • Click “Add” and choose “RoadWarrior”
  • Fill in the form to generate the device certificate
    • “Name”: “CONNECTION_NAME” (no spaces allowed)
    • Choose “Generate a certificate”
    • “User's full name or system hostname”: Choose a name (no spaces allowed)
    • Enter an export password
    • Click “Save”
  • In the “Connection Status and -Control” click the “Download PKCS12 file” icon and download the certificates to your local PC.
  • Edit the connection's advanced settings
    • “Keyexchange”: Select “IKEv2”
    • “Encryption”: Set it to “AES-CBC (256, 192 und 128 bit)”
    • “Roadwarrior virtual IP (sometimes called Inner-IP)”: disable (deprecated, will lead to problems)

Second step - Configure the IPFire

  • Connect to the IPFire via SSH (Putty) or use a screen/keyboard to log in
  • Add the following to /etc/ipsec.user-post.conf (“leftsubnet”/“leftallowany” will allow the client to also access the Internet when connected; “rekey” prevents problems where the IPsec-daemon would try to connect to the client (which would probably fail as most roadwarriors are behind NAT))
conn CONNECTION_NAME
    leftsubnet=0.0.0.0/0
    leftallowany=yes
    rekey=no
  • Restart the ipsec daemon, type ipsec restart

Third step - Install the certificate on the Windows PC

  • Start the Microsoft Management Console (Start→Search for “mmc”)
    • File→Add Snap-In
    • Certificates, choose the profile for your local computer (!)
      • Click OK and expand the certificate tree.
      • Right click on your personal certificates, choose “all tasks→Import…”
      • Find the PKCS12 file that you downloaded at the end of Step 1
      • Type in the export password
      • Choose “Automatically select the certificate store based on the type of the certificate”
      • Click “Finish”
  • Now you can close the “mmc” without saving

Fourth step - Create the connection

  • Start the “Network and Sharing Center”
    • Set up a new connection or network
      • Connect to a Workplace
      • Create a new connection
      • Use the Internet (VPN)
      • As address, use the “DNS-Name of your IPFire device”
      • Do not connect now, but create the connection for later use (check this checkbox)
      • A password is not necessary
    • Right click on the newly created connection (you can find it by clicking on your network tray icon)
      • Go to Properties, choose the “Security tab”
      • Set the type of VPN to “IKEv2”
      • Set the authentification to “use computer certs”
Translations of this page?:
en/configuration/services/ipsec/example_configuration-_roadwarrior_with_windows.txt · Last modified: 2015/07/23 15:56 by larsen