Windows Mobile 10 – Linux strongSwan

(25 May 2016)

In this test a VPN connection was established from a Windows Mobile 10 phone to Azure virtual network via strongSwan VPN gateway. The gateway was running in Ubuntu Linux virtual machine. The authentication was based on certificates and EAP-TLS. Certificates were signed by the OpenSSL CA in the Azure Ubuntu server.

The following configuration settings were used:

Windows phone:

  • Lumia 550 version 1511, OS: 10.0.10586.218
  • EAP-TLS certificate authentication

strongSwan VPN gateway:

  • Azure Ubuntu Linux 14.04
  • Linux strongSwan U5.1.2/K3.19.0-58-generic
  • Virtual network: 10.7.1.0/24
  • Public ip address: yyy.yyy.yyy.yyy
  • Internal ip address: 10.7.1.4

Lumia-AzureStrongswan

strongSwan configuration steps:

  1. In Azure, create a virtual network with address space 10.7.1.0/24.
  2. Add Ubuntu 14.04 Linux server in the above virtual network.
  3. In the Azure Endpoints menu of the Ubuntu server enable the endpoints for UDP 500 and UDP 4500 packets:
    UDP 500: Private port 500, public port 500
    UDP 4500: Private port 4500, public port 4500
  4. In the Dashboard check the Public Virtual IP Address assigned to the Virtual Machine. Use this address as the server address in the client configuration.
  5. Connect to the Ubuntu server e.g. with Putty app from a Windows VM that is located in the same virtual network.
  6. Install strongSwan VPN gateway with command: sudo apt-get install strongswan
  7. Install EAP-TLS support with command: sudo apt-get install strongswan-plugin-eap-tls
  8. Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
  9. Copy the CA certificate, strongSwan VPN gateway certificate and the Private Key file to the Ubuntu server (if not already there):
    • CA certificate to /etc/ipsec.d/cacerts
    • strongSwan VPN gateway certificate to /etc/ipsec.d/certs
    • strongSwan Private Key file to /etc/ipsec.d/private
  10. Restart the VPN service: sudo ipsec restart

In addition to the above steps, the routing settings in Azure Virtual Network may need to be modified as discussed in the test case Routing with Ubuntu Linux VPN Gateway.

The following fields need to be included in the gateway certificate:
  • Gateway DNS name or ip address in subjectAltName
  • extendedKeyUsage = serverAuth, clientAuth

SAMPLE “IPSEC.CONF” IN STRONGSWAN

config setup
conn wp1
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=wpgwCert.pem
right=%any
rightauth=eap-tls
rightsourceip=10.4.1.64/28
rightsendcert=never
eap_identity=%any
auto=start

 

NOTES:
  • rightsourceip = pool from which the clients obtain the internal ip address, should be routable to VPN gateway
  • wpgwCert.pem = VPN gateway certificate
SAMPLE “IPSEC.SECRETS” IN STRONGSWAN
 : RSA wpgwKey.pem “password”

 

NOTES:
  • wpgwKey.pem = VPN gateway Private key file (protected with a password)

 

Windows Phone configuration steps

  1. Create a client certificate in the same CA where the gateway certificate was signed
  2. Create a *.p12 certificate package and import it into the mobile phone
  3. Go to Settings > Network & wireless > VPN and create a VPN profile
  4. Connection name = <choose freely>
  5. Server name or address = <dns or ip address of the gateway>
  6. VPN Type = IKEv2
  7. Type of sign-in info = Certificate
  8. Username, Password = <empty>
NOTES:
  • Use the same syntax in the “Server name or address” field as in the gateway certificate subjectAltName field, either dns name or ip address.
  • Include the following fields in the client certificate
    • subjectAltName
    • extendedKeyUsage = serverAuth, clientAuth