(10 Jan 2017)
In this test a VPN connection was established from a Windows 10 laptop to Azure virtual network via strongSwan VPN gateway. The gateway was running in Ubuntu Linux virtual machine. The gateway authentication was based on certificates and the Windows client was authenticated with EAP-MSCHAPv2 credentials. The certificates were signed by the OpenSSL CA in the Azure Ubuntu server.
The following configuration settings were used:
- Windows 10 version 1607, OS Build: 14393
- Windows in-built VPN Client
strongSwan VPN gateway:
- Resource Manager mode
- Azure Ubuntu Linux 16.04 virtual machine
- Linux strongSwan U5.3.5/K4.4.0-57-generic
- Virtual network: 10.1.0.0/24
- Public ip address: yyy.yyy.yyy.yyy (created when setting up the virtual machine)
- Internal ip address: 10.1.0.5
strongSwan configuration steps:
- In Azure new portal,create Ubuntu 16.04 Linux virtual machine.
- Select the virtual network and assign a public ip address for the virtual machine.
- In the Network Security Group, select Settings > Inbound Security Rules and add the UDP 500 and UDP 4500 inbound rules with action “Allow”:
UDP 500: Private port 500, public port 500
UDP 4500: Private port 4500, public port 4500
- In the Virtual Machine Overview menu check the Public Virtual IP Address assigned to the Virtual Machine. Use this address as the server address in the client configuration.
- Connect to the Ubuntu server e.g. with Putty app.
- Install strongSwan VPN gateway with command: sudo apt-get install strongswan
- Install EAP-MSCHAP support with command: sudo apt-get install strongswan-plugin-eap-mschapv2
- Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
- Copy the CA certificate, strongSwan VPN gateway certificate and the Private Key file to the Ubuntu server (if not already there):
- CA certificate to /etc/ipsec.d/cacerts
- strongSwan VPN gateway certificate to /etc/ipsec.d/certs
- strongSwan Private Key file to /etc/ipsec.d/private
- Restart the VPN service: sudo ipsec restart
In addition to the above steps, the routing settings in Azure Virtual Network may need to be modified as discussed in the test case Routing with Ubuntu Linux VPN Gateway (Resource Manager mode).
- Gateway DNS name or ip address in subjectAltName
- extendedKeyUsage = serverAuth, clientAuth
SAMPLE “IPSEC.CONF” IN STRONGSWAN
- rightsourceip = pool from which the clients obtain the internal ip address, should be routed via the VPN gateway
- GWCert.pem = VPN gateway certificate
user : EAP “abcd1234”
- GWKey.pem = VPN gateway Private key file (protected with a password)
- define the usernames and passwords in this file, e.g. user/abcd1234 in the above sample
Windows 10 configuration steps
- Go to Settings > Network > VPN, and create a VPN profile
- VPN Provider = Windows (built-in)
- Connection name = <choose freely>
- Server name or address = <dns or ip address of the strongSwan gateway>
- VPN Type = IKEv2
- Type of sign-in info = Username and password
- Username, Password = <enter the same credentials that were defined in the ipsec.secrets file above>
- Use the same notation in the “Server name or address” field as in the gateway certificate subjectAltName field, either dns name or ip address.