Super Freeswan and Windows XP
Wanted to throw out WPA for several reasons, I switched to IPSEC for my wireless network which includes a Windows XP machine… This is just a quick reference for myself so I don’t have to figure it out all over again when I add a Windows machine to the network.
On the Freeswan box
- Edit openssl config to increase number of bits and expiry time.
- Use CA.sh to create a root certificate. (by default in ./demoCA)
- Lower expiry time back down a bit in openssl config.
- Create a new client (and also one for the server) certificate: CA.sh -newreq (use a pass phrase)
- Sign this certificate: CA.sh -sign
- Rename newcert.pem to something client specific (clientcert.pem in this example). (You might also want to keep newreq.pem..)
- Create a PKCS12 file for Windows: openssl pkcs12 -export -in clientcert.pem -inkey newreq.pem -certfile demoCA/cacert.pem -out client.p12
- Extract the subject, you’ll need it for ipsec.conf: openssl x509 -in clientcert.pem -inform pem -noout -subject
Put stuff in ipsec.conf:
config setup interfaces="ipsec0=eth1″ klipsdebug=none plutodebug=control plutoload=%search plutostart=%search uniqueids=yes conn %default keylife=70m keyingtries=3 disablearrivalcheck=no authby=rsasig ike=aes-md5,aes-sha,3des-md5,3des-sha esp=aes128-md5,aes128-sha1,3des-md5,3des-sha1 dpddelay=120 dpdtimeout=370 dpdaction=clear compress=yes leftrsasigkey=%cert rightrsasigkey=%cert conn client right=192.168.1.12 rightid="C=NL, ST=NH, L=PURMEREND, O=NiElS, OU=CLIENT, CN=Niels Peen, E=ni [email protected]” rightca="/C=NL/ST=NH/L=PURMEREND/O=NiElS/CN=Niels Peen/[email protected]” left=192.168.1.9 leftsubnet=0.0.0.0/0 leftcert=/etc/ipsec.d/certs/servercert.pem leftca=%same pfs=yes
You will notice that in the subject emailAddress has been replace with E.
On the Windows box
- (Win)SCP the P12 file to the Windows machine.
- Start “MMC”
- You begin with an empty console. Now add some plugins: (names may vary as I translate them from the Dutch Windows version)
- Certificates -> Computer Account -> Local machine
- Certificates -> User Account
- IP Security Monitor
- IP Policy Management -> This Computer
You now have a useful MMC profile. Save it.
- Go to Certificates (Local machine), right click -> All tasks -> Import
- Now import the P12 file, it will ask you for the password. Turn on the exportable option and set the archive to “automatic”. Your certificate should now be imported.
- Now we’ll create a security policy.
- Give it a name, like “ipsec all traffic”.
- Disable the default rule and the the properties dialog pop-up.
We now have a rules Window. * Disable the Wizard.
We’ll be adding two rules. One for client to server and one for server to client. I’ll describe one procedure. The differences are only the Source an Destination address and the Tunnel endpoint. This will make sense once you run into them :)
- Add a rule. (assuming client to server).
- In filter tab, add a filter.
- Disable wizard.
- Name it “client to server”.
- Hit “add”.
- Set Source to “My address”, set Destination to “Any address” and disable mirroring.
- In the description type “client to server”, and close the filter properties dialog and the rule properties dialog. Select the just made filter.
- Go to filter action tab. Disable Wizard and hit “Add”. We only do this one once, you can use it in both the “client to server” and the “server to client” rules.
- Select “Negotiate” and hit Add.
- Select “Custom” and configure it for SHA1, 3DES. Turn off AH. Turn on the session key settings. Defaults are fine. Close dialogs until we’re back in filter properties. Turn off non-secure traffic and enable PFS.
- In the general tab, name this “ipsec crypto”. Close dialog.
- Back in the filter action tab select the just made “ipsec crypto”.
- Go to verification methods. Add one using our imported certificate. Remove kerberos.
- Set type of connection to “All”.
- Set tunnel endpoint to the servers address.
Now do the same for a server to client rule. Back in first dialog, go to the common tab and enable PFS using the Advanced button.
Back in MMC enable the ipsec all traffic policy. Encryption should now take place!