niels / Blog / #vpn

Super Freeswan and Windows XP

Heads up! This post is more than a year old.

Wanted to throw out WPA for several reasons, I switched to IPSEC for my wireless network which includes a Windows XP machine…
This is just a quick reference for myself so I don’t have to figure it out all over again when I add a Windows machine to the network.

On the Freeswan box

  • Edit openssl config to increase number of bits and expiry time.
  • Use CA.sh to create a root certificate. (by default in ./demoCA)
  • Lower expiry time back down a bit in openssl config.
  • Create a new client (and also one for the server) certificate: CA.sh -newreq (use a pass phrase)
  • Sign this certificate: CA.sh -sign
  • Rename newcert.pem to something client specific (clientcert.pem in this example). (You might also want to keep newreq.pem..)
  • Create a PKCS12 file for Windows: openssl pkcs12 -export -in clientcert.pem -inkey newreq.pem -certfile demoCA/cacert.pem -out client.p12
  • Extract the subject, you’ll need it for ipsec.conf: openssl x509 -in clientcert.pem -inform pem -noout -subject

Put stuff in ipsec.conf:

config setup
    interfaces="ipsec0=eth1″
    klipsdebug=none
    plutodebug=control
    plutoload=%search
    plutostart=%search
    uniqueids=yes

conn %default
    keylife=70m
    keyingtries=3
    disablearrivalcheck=no
    authby=rsasig
    ike=aes-md5,aes-sha,3des-md5,3des-sha
    esp=aes128-md5,aes128-sha1,3des-md5,3des-sha1
    dpddelay=120
    dpdtimeout=370
    dpdaction=clear
    compress=yes
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn client
    right=192.168.1.12
    rightid="C=NL, ST=NH, L=PURMEREND, O=NiElS, OU=CLIENT, CN=Niels Peen, E=ni
    [email protected]”
    rightca="/C=NL/ST=NH/L=PURMEREND/O=NiElS/CN=Niels Peen/[email protected]”
    left=192.168.1.9
    leftsubnet=0.0.0.0/0
    leftcert=/etc/ipsec.d/certs/servercert.pem
    leftca=%same
    pfs=yes

You will notice that in the subject emailAddress has been replace with E.

On the Windows box

  • (Win)SCP the P12 file to the Windows machine.
  • Start “MMC”
  • You begin with an empty console. Now add some plugins: (names may vary as I translate them from the Dutch Windows version)
  • Certificates -> Computer Account -> Local machine
  • Certificates -> User Account
  • IP Security Monitor
  • IP Policy Management -> This Computer

You now have a useful MMC profile. Save it.

  • Go to Certificates (Local machine), right click -> All tasks -> Import
  • Now import the P12 file, it will ask you for the password. Turn on the exportable option and set the archive to “automatic”. Your certificate should now be imported.
  • Now we’ll create a security policy.
  • Give it a name, like “ipsec all traffic”.
  • Disable the default rule and the the properties dialog pop-up.

We now have a rules Window.

  • Disable the Wizard.

We’ll be adding two rules. One for client to server and one for server to client.
I’ll describe one procedure. The differences are only the Source an Destination address and the Tunnel endpoint. This will make sense once you run into them 🙂

  • Add a rule. (assuming client to server).
  • In filter tab, add a filter.
  • Disable wizard.
  • Name it “client to server”.
  • Hit “add”.
  • Set Source to “My address”, set Destination to “Any address” and disable mirroring.
  • In the description type “client to server”, and close the filter properties dialog and the rule properties dialog. Select the just made filter.
  • Go to filter action tab. Disable Wizard and hit “Add”. We only do this one once, you can use it in both the “client to server” and the “server to client” rules.
  • Select “Negotiate” and hit Add.
  • Select “Custom” and configure it for SHA1, 3DES. Turn off AH. Turn on the session key settings. Defaults are fine. Close dialogs until we’re back in filter properties. Turn off non-secure traffic and enable PFS.
  • In the general tab, name this “ipsec crypto”. Close dialog.
  • Back in the filter action tab select the just made “ipsec crypto”.
  • Go to verification methods. Add one using our imported certificate. Remove kerberos.
  • Set type of connection to “All”.
  • Set tunnel endpoint to the servers address.

Now do the same for a server to client rule.
Back in first dialog, go to the common tab and enable PFS using the Advanced button.

Back in MMC enable the ipsec all traffic policy. Encryption should now take place!

0 comments