推荐点击下面图片,通过本站淘宝优惠价购买:
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients
Windows Clients
目录
Windows 7 and newer releases (including Windows Phone 8.1 and newer) support the IKEv2 and MOBIKE (RFC 4555) standards through Microsoft's Agile VPN functionality and are therefore able to interoperate with a strongSwan VPN gateway using these protocols.
strongSwan currently can authenticate Windows clients either on the basis of X.509 Machine Certificates using RSA signatures (case A), X.509 User Certificatesusing EAP-TLS (case B), or Username/Password using EAP-MSCHAPv2 (case C). The client does not support multiple authentication rounds (RFC 4739).
Make sure to fulfill the certificate requirements to successfully authenticate Windows clients.
A) Authentication using X.509 Machine Certificates
The strongSwan VPN gateway and each Windows client needs an X.509 certificate issued by a Certification Authority (CA). OpenSSL or pki can be used to generate these certificates.
On the Windows Client
On the strongSwan VPN Gateway
B) Authentication using X.509 User Certificates
This is very similar to case A, but certificates are stored in a user specific keystore (using smart cards is also possible in this case). The client authentication has to be done with EAP-TLS in this case. As an EAP identity exchange is needed, make sure to have the eap-identity plugin loaded.
On the Windows Client
Storing the user certificate is basically the same as storing a machine certificate simply select My user account instead of Computer account in the Certificates MMC snap-in. Actually, since this keystore is used by default, you can simply double click the certificate to install it.
Please note that the CA certificate used to authenticate the VPN gateway has still to be installed in the Computer account keystore.
On the strongSwan VPN Gateway
C) Authentication using EAP-MSCHAP v2
In order to prevent man-in-the-middle attacks the strongSwan VPN gateway always authenticates itself with an X.509 certificate using a strong RSA/ECDSA signature. After a secure communication channel has been set up by the IKEv2 protocol, the Windows clients authenticate themselves using the EAP-MSCHAPv2 protocol based on user name, optional windows domain and user password. As an EAP identity exchange is needed for this to work, make sure to have the eap-identity plugin loaded.
EAP-MSCHAPv2 requires MD4 to generate the NT-Hashes, so either the md4 plugin or one of the crypto library wrappers (OpenSSL, Gcrypt) is required. This is not needed if the authentication is delegated to an AAA server via eap-radius plugin.
Some Windows clients will always send a domain part in the user name field (e.g. Windows Phone\User). Depending on the backend used to authenticate the users the domain part may have to be stripped away (see #612-3 for an example regarding FreeRADIUS), or be included when defining the credentials (e.g. in EAP secrets in ipsec.secrets).
Important: strongSwan releases before 4.3.1 are not compatible with Windows 7 RC (Build 7100) or later, because Microsoft's EAP-MSCHAPv2 implementation changed from Beta to Release Candidate.
On the Windows Client
On the strongSwan VPN Gateway
Rekeying behavior
IKE_SA rekeying
The Windows 7 client supports IKE_SA rekeying, but can't handle unsupported Diffie Hellman groups. If a strongSwan gateway initiates IKE_SA rekeying, it must use modp1024 as the DH group in the first attempt, otherwise rekeying fails. You can achieve this by setting modp1024 as the first (or only) DH group in the gateways ike proposal.
CHILD_SA rekeying
Rekeying CHILD_SAs is also supported by the Windows 7 client. For some reason, a client behind NAT does not accept a rekeying attempt and rejects it with a Microsoft specific notify 12345, containing an error code ERROR_IPSEC_IKE_INVALID_SITUATION.
To work around the issue, let the client initiate the rekeying (set rekey=no on the server). It will do so about every 58 minutes and 46 seconds, so set the gateway rekey time a little higher. There is no way known to change the rekey time (the netsh.ras.ikev2saexpiry options affect the Windows Server implementation only).
Another option is to set no rekey time, but only a hard lifetime to delete the CHILD_SA. The client will renegotiate the SA when required.
Bugs & Features
IKEv2 Fragmentation
IKEv2 fragmentation is supported since the v1803 release of Windows 10 and Windows Server. All versions of Windows also support the proprietary IKEv1 fragmentation.
Split routing on Windows 10 and Windows 10 Mobile
Microsoft changed Windows 10 Desktop and Mobile VPN routing behavior for new VPN connections. Option "Use default gateway on remote network option" in the Advanced TCP/IP settings of the VPN connection is now disabled by default. You can enable this option on Desktop but there is no way to do this on Mobile. Fortunately, Windows sends DHCP request upon connection and add routes supplied in option 249 of DHCP reply.
Sample configuration file for dnsmasq:
Where 192.168.103.0 is your (internal) network. It pushes 2 separate routes which cover entire IPv4 range. Gateway could be anything (set to 0.0.0.0 in an example) as it's ignored by Windows.
Note that you can't ignore DHCP routes in Windows.
IPv6
Windows doesn't add an IPv6 route by default. There are two workarounds:
Add a permanent default route manually using the following or a similar command:
Where 27 is your IKEv2 interface ID.
Configure and use a router advertisement daemon (requires custom patch for strongSwan, see #817)
AES-256-CBC and MODP2048
By default, the Windows Agile VPN Client only offers AES-128-CBC, AES-192-CBC, AES-256-CBC, 3DES, SHA-1,SHA-256, SHA-384 and MODP-1024.
By creating and setting the following registry key as a DWORD key, support for MODP2048 can be enabled, disabled or enforced.
The values that can be used are 0, 1 or 2. The table tells you what the values mean.
| value | meaning |
|---|---|
| 0 (default) | disable AES-256-CBC and MODP-2048 |
| 1 | Enable AES-256-CBC and MODP-2048 |
| 2 | Enforce the usage of AES-256-CBC and MODP-2048 |
By using the Set-VpnConnectionIPsecConfiguration PowerShell cmdlet it is possible to use even more algorithms like AES-GCM and ECP DH groups (at least on Windows 10). The VPN connection may be added in the GUI or via "Add-VpnConnection" cmdlet.
Links
Adrian Dimcev's blog provides valuable information on Agile VPN connections between Windows 7 Beta and Windows Server 2008 R2 Beta.
MoPo users at the University of Freiburg can connect to a strongSwan VPN gateway using Windows 7 (in German).
Acknowledgements
Many thanks go to Edward Chang and Gleb Sechenov from the Information Security Institute (ISI) of the Queensland University of Technology(QUT) who provided the initial Windows 7 Beta and Ubuntu Linux test setup.
本文链接:https://hqyman.cn/post/563.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下,本站随机推荐观看栏目:
