[Swan] Options for Windows clients

Paul Wouters paul at nohats.ca
Thu Dec 31 01:07:00 UTC 2020


On Dec 30, 2020, at 19:18, Alex <mysqlstudent at gmail.com> wrote:
> 
> 
> 
> So I want to do something like this with certutil?
> 
>       --extSAN type:name[,type:name]...
>           Create a Subject Alt Name extension with one or multiple names.
> 
>           -type: directory, dn, dns, edi, ediparty, email, ip,
> ipaddr, other, registerid, rfc822, uri, x400, 

In general yes.


> Also, I believe it was mentioned that /var/lib/ipsec/nss was the new
> default location, but certutil still requires -d to explicitly define
> that location. ipsec does not.

it’s the new libreswan location yes. Certutil is a tool from the nss package and it has no “default” (maybe current directory)


> 
>> As I wrote in one of my previous replies, either you provide Windows
>> access to a proper DNS record, or you may configure the corresponding IP
>> address in C:\Windows\system32\drivers\etc\hosts
> 
> The process of creating the win10 cert on the libreswan page doesn't
> specify anything about the server in the certutil process. Here is my
> certutil:
> 
> certutil -S -c "Example CA" -n "win10client.example.com" \
>        -s "O=Example,CN=win10client.example.com" -k rsa \
>        -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8
> "win10client.example.com"

Why use /etc/ipsec.d if your libreswan uses /vat/lib/ipsec/nss ?


> That hostname doesn't resolve to anything. There's no way of knowing
> what its IP will be at the time it connects, of course. Should I
> instead be using the VPN server hostname for CN there instead?

It’s fine for the clients to have a non-resolvable hostname.

> Do you mean the internal 192.168.1.1 address, so it's on the same
> network as the Windows PC at 192.168.1.35? Eventually I'll need to do
> this over the Internet, of course...

You CANNOT connect to the VPN server from the same subnet as the VPN server is in. Use your phone on LTE as hotspot for testing your Windows client if you need to.

> 
> Got it. I've updated it to reflect that now.
> Set-VpnConnectionIPsecConfiguration -ConnectionName ikev2-cp
> -EncryptionMethod AES256 -DHGroup Group14 -IntegrityCheckMethod SHA384
> -PfsGroup PFS2048 -AuthenticationTransformConstants SHA256128
> -CipherTransformConstants AES256

That seems good.

> 
>> Windows probably stops because of the issue above, or because it doesn't
>> recognize the reply from libreswan because of the issue below.
> 
> Is there any chance it produced some kind of error that more precisely
> defined the problem that maybe I missed?

The main issue was likely connecting from the same LAN. It would implode the tunnel so it seems Windows refuses it.

Paul


More information about the Swan mailing list