My Strongswan copy is not behind NAT. By the way I have been able to set up succerssfully one copy of Win 7 for l2tp/psk from behind NAT. But for other Win 7 copy (I specially tested behind different NATs, without NAT also) .
Even asI wrote I tested without NAT (client->bluetooth->Sony Z1->3G/4G->Internet->StrongSwan at Ubuntu) and ^#^%^% nothing changes. When I tried to use Android connection (from this Sony Z1) , I was successful as accross psk as certificate (ikev1) . So, as for Win XP, there weren' t roubles as I remember. I issued certificate by easy-rsa soft at Easy-rsa github <https://github.com/OpenVPN/easy-rsa> or at Easy-rsa desc <http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html> . I added subjectAltName as external IP as internal FQDN as to server as to client certificate. Also I added extendedKeyUsage=1.3.6.1.5.5.8.2.2, serverAuth to server certificate. But just now I am testing ikev2 and getting 13801 error (for machine certificate) . 2014-09-28 0:53 GMT+04:00 Dr. Rolf Jansen <[email protected]>: > Am 27.09.2014 um 15:12 schrieb CpServiceSPb . <[email protected]>: > > > Can somebody give step by step instruction and/or working Ca, Server & > Client certificate with testing data as working example that Win 7 could > work accross psk/ikev1/ikev2 ? > > I am running strongSwan 5.2.0 on a FreeBSD machine, and I also had > difficulties to get a working setup with Windows 7 clients. > > My findings. > > Forget L2TP/IPsec with Windows 7. While Mac OS X and iOS clients are > happily connecting to my server in any situation, i.e. IKEv1 with > certificates or PSK, without NAT, with Single-NAT, with Double-NAT, Windows > 7 works only without NAT, and that is pretty much useless, given that road > warriors are needing connectivity from hotels, airports, LAN-Houses, mostly > from behind any kind of NAT. > > The only setup which works for me with the Windows 7 client behind NAT is > IKEv2 with machine certificates. The server must listen on the public > interface, though. > > My ipsec.conf > > conn IKEv2 > keyexchange = ikev2 > leftcert = ipsec-service-cert.pem > rightcert = ipsec-clients-cert.pem > left = %any > leftsubnet = 192.168.1.0/24 > right = %any > rightdns = 192.168.1.1 > rightsourceip = 192.168.1.176/28 > auto = add > > My ipsec.secrets: > > : RSA ipsec-service-key.pem > > > For setting up the CA, and the certificates, I used the PKI tools that > came together with strongSwan. Here comes the list of commands without > comments -- use man if you are in doubt). Note, on FreeBSD, the $PREFIX is > /usr/local, and I don't know where Ubuntu store everything, perhaps you > need to correct some cert locations. > > As user root do: > ######## commands begin: > mkdir ~/ipsec-certs > cd ~/ipsec-certs > pki --gen --outform pem > ipsec-ca-key.pem > pki --self --outform pem --in ipsec-ca-key.pem --digest sha256 --ca --dn > "C=DE, O=Example, CN=example.com CA" > ipsec-ca-cert.pem > > pki --gen --outform pem > ipsec-service-key.pem > pki --pub --in ipsec-service-key.pem | \ > pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem > --cakey ipsec-ca-key.pem --flag serverAuth --flag ikeIntermediate --san > example.com --dn "C=DE, O=Example, CN=example.com" > > ipsec-service-cert.pem > > pki --gen --outform pem > ipsec-clients-key.pem > pki --pub --in ipsec-clients-key.pem | \ > pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem > --cakey ipsec-ca-key.pem --san ipsec-clients.example.com --dn "C=DE, > O=Example, CN=ipsec-clients.example.com" > ipsec-clients-cert.pem > > cp ipsec-ca-cert.pem /usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem > cp ipsec-service-key.pem > /usr/local/etc/ipsec.d/private/ipsec-service-key.pem > cp ipsec-clients-key.pem > /usr/local/etc/ipsec.d/private/ipsec-clients-key.pem > cp ipsec-service-cert.pem > /usr/local/etc/ipsec.d/certs/ipsec-service-cert.pem > cp ipsec-clients-cert.pem > /usr/local/etc/ipsec.d/certs/ipsec-clients-cert.pem > > openssl pkcs12 -export -out ipsec-clients.p12 -inkey ipsec-clients-key.pem > -in ipsec-clients-cert.pem -certfile ipsec-ca-cert.pem > ######## commands end. > > IMPORTANT: The CN value of the ipsec-service-cert.pem MUST be the exact > DNS resolvable domain of your IPsec server!!! > > Copy the pkcs12 file ipsec-clients.p12 to the Windows 7 machine, and > install it as shown on > https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs > > On the stateful firewall of my server I opened UDP ports 500 and 4500, but > this was not sufficient. A major obstacle was, that the windows client is > sending packet fragments (without port numbers), and I have to let it go > through the firewall too. On FreeBSD, I am using ipfw, and the relevant > part is: > > ... > /sbin/ipfw -q add 5010 allow udp from any to me 500,4500 via $WAN in > keep-state > /sbin/ipfw -q add 5011 allow udp from any to me via $WAN in frag > ... > > Best regards > > Rolf > > PS: About the L2TP/IPsec setup on a FreeBSD-Home-Server, using strongSwan > together with mpd5, that works so very well for Mac OS X and iOS, I wrote a > post on my BLog: http://blog.obsigna.net/?p=520. As said already, forget > Windows in this respect. > > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
