This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
vpn:ikedv2:windows [2020/01/01 15:02] pirata [Windows side] |
vpn:ikedv2:windows [2020/02/15 04:02] (current) pirata title |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Connect to our VPN under Windows ====== | + | ====== IKEDv2 Windows support ====== |
| ===== Server side ===== | ===== Server side ===== | ||
| OpenBSD's default **/etc/ssl/openssl.cnf** provides a very minimalist approach, especially if you plan to allow users under other Operating Systems to login. | OpenBSD's default **/etc/ssl/openssl.cnf** provides a very minimalist approach, especially if you plan to allow users under other Operating Systems to login. | ||
| - | This is what is working at the moment: | ||
| <code bash> | <code bash> | ||
| + | $ cat /etc/ssl/openssl.cnf | ||
| + | |||
| # Note that you can include other files from the main configuration | # Note that you can include other files from the main configuration | ||
| # file using the .include directive. | # file using the .include directive. | ||
| Line 174: | Line 176: | ||
| </code> | </code> | ||
| - | We had to replicate some part of **/etc/ssl/openssl.cnf** into local **openssl.cfg** in order to be able to generate proper keys and certificates that probably should work on Windows: | + | We had to replicate some part of **/etc/ssl/openssl.cnf** into local **openssl.cfg** in order to be able to generate proper keys and certificates. |
| <code bash> | <code bash> | ||
| + | $ cat openssl.cfg | ||
| + | |||
| [ vpn.ircnow.org ] | [ vpn.ircnow.org ] | ||
| keyUsage = digitalSignature,keyEncipherment | keyUsage = digitalSignature,keyEncipherment | ||
| Line 247: | Line 251: | ||
| </code> | </code> | ||
| - | After some trial and error, We managed to discover a magical combination of openssl commands that allowed us to generate all certs and keys that should work on Windows: | + | After some trial and error, We managed to discover a magical combination of openssl commands that allowed us to generate all certs and keys: |
| <code bash> | <code bash> | ||
| Line 272: | Line 276: | ||
| - Following this excellent [[https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs|guide]] from strongSwan community and import our **ca.crt**(direct links above) certificate first and then **vpnIRCNoWin.pfx** (direct links above) | - Following this excellent [[https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs|guide]] from strongSwan community and import our **ca.crt**(direct links above) certificate first and then **vpnIRCNoWin.pfx** (direct links above) | ||
| - Make sure: | - Make sure: | ||
| - | - Both certificates are located under **Trusted Root Certification Authorities** > **Certificates** | + | - Both certificates are located under **Trusted Root Certification Authorities** > **Certificates** |
| - | - Password of our private key is **gad03efbanxg5yby** | + | - Password of our private key is **gad03efbanxg5yby** |
| - | + | - Configure an IKEDv2 connection using this [[http://www.carbonwind.net/blog/post/VPN-Reconnect-in-Windows-7-RC-redux.aspx|guide]] if you don't know how to do that | |
| - | - Configure an IKEDv2 connection using this [[http://www.carbonwind.net/blog/post/VPN-Reconnect-in-Windows-7-RC-redux.aspx|guide]] if you don't know how to do that | + | - Make sure: |
| - | - Make sure: | + | - Under Security tab, type of VPN is **IKEv2** |
| - | - Under Security tab, type of VPN is **IKEv2** | + | - Authentication is **EAP + Secure password (EAP-MSCHAPv2)** |
| - | - Authentication is **EAP + Secure password (EAP-MSCHAPv2)** | + | - Under general tab, host name is **vpn.ircnow.org** |
| - | - Under general tab, host name is **vpn.ircnow.org** | + | |
| Last thing: | Last thing: | ||