Enter the IP range that clients from which clients should receive an IP.
Make sure that this range does not conflict with your LAN DHCP scope.
Step 2 - Generate certificates
Click “Generate root/host certificates”
Fill in the form to generate the certificates
“Organization Name”: Choose a name
“IPFire's Hostname”: DNS-Name of the IPFire device
Complete “Your e-Mail Address”, “Your Department”, “City”, “State”, and “Country” with your information.
“Subject Alt Name”: Enter “DNS:” and the IPFire hostname. i.e.: “DNS:myhost.mydomain.dom”
Click “Generate root/host certificate”
Step 3 - Create the Connection on IPFire
“Connection Status and -Control”
Click “Add” and choose “Host-to-Net Virtual Private Network (RoadWarrior)”
Fill in the form to generate the device certificate
“Name”: “CONNECTION_NAME” (no spaces allowed)
“Local Subnet”: Enter “0.0.0.0/0” to allow IPSec clients to access the internet over this connection. Enter your local subnet (Green, Blue, or both) to limit traffic to those subnets.
Choose “Generate a certificate”
“User's full name or system hostname”: Choose a name (no spaces allowed)
Enter an export password
Edit the connection's advanced settings
“Keyexchange”: Select “IKEv2”
“Encryption”: Select “256 bit AES-CBC”, “192 bit AES-CBC”, and “128 bit AES-CBC”
“Integrity”: Select “SHA2 512 bit”, “SHA2 256 bit”, and “SHA1 (Weak)” (NOTE: SHA1 should not be used, but Windows 10 does not support SHA2 by default. Powershell can be used to allow the use of SHA2. When I have a chance I will revisit this article and revise to remove this cipher)
“Grouptype”: Select “MODP-2048” and “MODP-1024 (Broken)” (NOTE: MODP-1024 should not be used, but Windows 10 does not support strong encryption by default. Powershell can be used to enable better encryption. When I have a chance I will revist this article and revise to remove this cipher)
Step 4 - Configure IPFire
Connect to the IPFire via SSH (Putty) or use a screen/keyboard to log in
Add the following to /etc/ipsec.user.conf (“leftsubnet”/“leftallowany” will allow the client to also access the Internet when connected; Setting “rekey” and “reauth” to no prevents problems where the IPsec-daemon would try to connect to the client (which would probably fail as most roadwarriors are behind NAT)), and defining the DNS server (I recommend using the local IPFire address) allows name resolution to work.
* Restart the ipsec daemon, type **ipsec restart** - !! This may drop any active connections !!
Step 5 - Install the certificate on the Windows PC
Browse to the IPSec page of the IPFire web interface.
In the “Connection Status and -Control” section, click the “Download PKCS12 file” (diskette) icon and download the certificates to your local PC.
Log on to Windows using an administrator account
Start the Microsoft Management Console (Start→Search for “mmc”)
Certificates, choose the profile for your local computer (!)
Click OK and expand the certificate tree.
Right click on your personal certificates, choose “all tasks→Import…”
Find the PKCS12 file that you downloaded at the end of Step 3
Type in the export password
Choose “Automatically select the certificate store based on the type of the certificate”
You can now close the “mmc” without saving
Step 6 - Create the connection in Windows
Start the “Network and Sharing Center”
Set up a new connection or network
Connect to a Workplace
Create a new connection
Use the Internet (VPN)
As address, use the “DNS-Name of your IPFire device”
Do not connect now, but create the connection for later use (check this checkbox)
A password is not necessary
Right click on the newly created connection (you can find it by clicking on your network tray icon)
Go to Properties, choose the “Security tab”
Set the type of VPN to “IKEv2”
Set the authentification to “use computer certs”
configuration/services/ipsec/example_configuration-_roadwarrior_with_windows.txt · Last modified: 2019/02/14 03:12 by Tom Rymes