Windows 10 laptop – Azure strongSwan VPN

(10 Jan 2017)

In this test a VPN connection was established from a Windows 10 laptop to Azure virtual network via strongSwan VPN gateway. The gateway was running in Ubuntu Linux virtual machine. The gateway authentication was based on certificates and the Windows client was authenticated with EAP-MSCHAPv2 credentials. The certificates were signed by the OpenSSL CA in the Azure Ubuntu server.

The following configuration settings were used:

Windows laptop:

  • Windows 10 version 1607, OS Build: 14393
  • Windows in-built VPN Client

strongSwan VPN gateway:

  • Resource Manager mode
  • Azure Ubuntu Linux 16.04 virtual machine
  • Linux strongSwan U5.3.5/K4.4.0-57-generic
  • Virtual network: 10.1.0.0/24
  • Public ip address: yyy.yyy.yyy.yyy (created when setting up the virtual machine)
  • Internal ip address: 10.1.0.5

win10_strongswan

 

strongSwan configuration steps:

  1. In Azure new portal,create Ubuntu 16.04 Linux virtual machine.
  2. Select the virtual network and assign a public ip address for the virtual machine.
  3. In the Network Security Group, select Settings > Inbound Security Rules and add the UDP 500 and UDP 4500 inbound rules with action “Allow”:
    UDP 500: Private port 500, public port 500
    UDP 4500: Private port 4500, public port 4500
  4. In the Virtual Machine Overview menu check the Public Virtual IP Address assigned to the Virtual Machine. Use this address as the server address in the client configuration.
  5. Connect to the Ubuntu server e.g. with Putty app.
  6. Install strongSwan VPN gateway with command: sudo apt-get install strongswan
  7. Install EAP-MSCHAP support with command: sudo apt-get install strongswan-plugin-eap-mschapv2
  8. Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
  9. Copy the CA certificate, strongSwan VPN gateway certificate and the Private Key file to the Ubuntu server (if not already there):
    • CA certificate to /etc/ipsec.d/cacerts
    • strongSwan VPN gateway certificate to /etc/ipsec.d/certs
    • strongSwan Private Key file to /etc/ipsec.d/private
  10. Restart the VPN service: sudo ipsec restart

In addition to the above steps, the routing settings in Azure Virtual Network may need to be modified as discussed in the test case Routing with Ubuntu Linux VPN Gateway (Resource Manager mode).

NOTES:

The following fields need to be included in the gateway certificate:
  • Gateway DNS name or ip address in subjectAltName
  • extendedKeyUsage = serverAuth, clientAuth

SAMPLE “IPSEC.CONF” IN STRONGSWAN

config setup
conn wp1
leftsubnet=10.1.0.0/24
leftauth=pubkey
leftcert=GWCert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.1.1.64/28
rightsendcert=never
eap_identity=%any
auto=start

 

NOTES:
  • rightsourceip = pool from which the clients obtain the internal ip address, should be routed via the VPN gateway
  • GWCert.pem = VPN gateway certificate
SAMPLE “IPSEC.SECRETS” IN STRONGSWAN
 : RSA GWKey.pem “password”
user : EAP “abcd1234”

 

NOTES:
  • GWKey.pem = VPN gateway Private key file (protected with a password)
  • define the usernames and passwords in this file, e.g. user/abcd1234 in the above sample

 

Windows 10 configuration steps

  1. Go to Settings > Network > VPN, and create a VPN profile
  2. VPN Provider = Windows (built-in)
  3. Connection name = <choose freely>
  4. Server name or address = <dns or ip address of the strongSwan gateway>
  5. VPN Type = IKEv2
  6. Type of sign-in info = Username and password
  7. Username, Password = <enter the same credentials that were defined in the ipsec.secrets file above>
NOTES:
  • Use the same notation in the “Server name or address” field as in the gateway certificate subjectAltName field, either dns name or ip address.