wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:services:ipsec:example_configuration-_roadwarrior_with_windows

Example Configuration - Roadwarrior with Windows

  • This configuration should work with Windows 7, 8, and 10.

Step 1 - Global IPSec Settings

  • Go to “Services > IPSec”
  • Edit the “Global Settings”
    • “Public IP or FQDN”:
      • If you have a static IP: Enter your public domain name or IP.
      • If you have a dynamic IP: Enter “%defaultroute”.
    • “Host-to-Net Virtual Private Network (RoadWarrior)”
      • Enter the IP range that clients from which clients should receive an IP.
      • Make sure that this range does not conflict with your LAN DHCP scope.
    • Check “Enabled”
    • Click “Save”

Step 2 - Generate certificates

  • Click “Generate root/host certificates”
    • Fill in the form to generate the certificates
      • “Organization Name”: Choose a name
      • “IPFire's Hostname”: DNS-Name of the IPFire device
      • Complete “Your e-Mail Address”, “Your Department”, “City”, “State”, and “Country” with your information.
      • “Subject Alt Name”: Enter “DNS:” and the IPFire hostname. i.e.: “DNS:myhost.mydomain.dom”
      • Click “Generate root/host certificate”

Step 3 - Create the Connection on IPFire

  • “Connection Status and -Control”
    • Click “Add” and choose “Host-to-Net Virtual Private Network (RoadWarrior)”

  • Fill in the form to generate the device certificate
    • “Name”: “CONNECTION_NAME” (no spaces allowed)
    • “Local Subnet”: Enter “0.0.0.0/0” to allow IPSec clients to access the internet over this connection. Enter your local subnet (Green, Blue, or both) to limit traffic to those subnets.
    • Choose “Generate a certificate”
    • “User's full name or system hostname”: Choose a name (no spaces allowed)
    • Enter an export password
    • Click “Save”

  • Edit the connection's advanced settings

  • “Keyexchange”: Select “IKEv2”
  • “Encryption”: Select “256 bit AES-CBC”, “192 bit AES-CBC”, and “128 bit AES-CBC”
  • “Integrity”: Select “SHA2 512 bit” and “SHA2 256 bit”
  • “Grouptype”: Select “MODP-2048” and “MODP-1024 (Broken)” (NOTE: MODP-1024 should not be used, but registry changes need to be made to Windows to allow the use of better encryption. When I have a chance I will revist this article and revise to remove this cipher)

Step 4 - Configure IPFire

  • Connect to the IPFire via SSH (Putty) or use a screen/keyboard to log in
  • Add the following to /etc/ipsec.user.conf (“leftsubnet”/“leftallowany” will allow the client to also access the Internet when connected; Setting “rekey” and “reauth” to no prevents problems where the IPsec-daemon would try to connect to the client (which would probably fail as most roadwarriors are behind NAT)), and defining the DNS server (I recommend using the local IPFire address) allows name resolution to work.
conn CONNECTION_NAME
    leftallowany=yes
    rightdns=10.100.2.1
    rekey=no
    reauth=no
    
* Restart the ipsec daemon, type **ipsec restart** - !! This may drop any active connections !!

Step 5 - Install the certificate on the Windows PC

  • Browse to the IPSec page of the IPFire web interface.
  • In the “Connection Status and -Control” section, click the “Download PKCS12 file” (diskette) icon and download the certificates to your local PC.
  • Log on to Windows using an administrator account
  • Start the Microsoft Management Console (Start→Search for “mmc”)
    • File→Add Snap-In
    • Certificates, choose the profile for your local computer (!)
      • Click OK and expand the certificate tree.
      • Right click on your personal certificates, choose “all tasks→Import…”
      • Find the PKCS12 file that you downloaded at the end of Step 3
      • Type in the export password
      • Choose “Automatically select the certificate store based on the type of the certificate”
      • Click “Finish”
  • You can now close the “mmc” without saving

Step 6 - Create the connection in Windows

  • Start the “Network and Sharing Center”
    • Set up a new connection or network
      • Connect to a Workplace
      • Create a new connection
      • Use the Internet (VPN)
      • As address, use the “DNS-Name of your IPFire device”
      • Do not connect now, but create the connection for later use (check this checkbox)
      • A password is not necessary
    • Right click on the newly created connection (you can find it by clicking on your network tray icon)
      • Go to Properties, choose the “Security tab”
      • Set the type of VPN to “IKEv2”
      • Set the authentification to “use computer certs”
configuration/services/ipsec/example_configuration-_roadwarrior_with_windows.txt · Last modified: 2018/12/11 02:58 by Tom Rymes