strongSwan Configuration for Windows Machine Certificates

Connection Definition

The following win connection definition in swanctl.conf allows multiple Windows clients using machine certificates to connect to the strongSwan VPN gateway.

connections {
  win {
    pools = ipv4, ipv6

    local {
      auth = pubkey
      certs = gatewayCert.pem
      id = vpn.strongswan.org
    }
    remote {
      auth = pubkey
      cacerts = strongsecCaCert.der
    }
    children {
      win {
        local_ts = 0.0.0.0/0, ::/0
      }
    }
  }
}

pools {
  ipv4 {
    addrs = 10.10.1.64/26
    dns = 10.10.0.1
  }
  ipv6 {
    addrs = 2a02:168:4407:1::/122
  }
}
aes256-sha256-modp2048 for IKE and aes256-sha1-modp2048 for ESP are the strongest proposals the Windows client is able to offer unless PowerShell is used. These proposals are not explicitly configured here to accept stronger algorithms proposed by such and other clients via strongSwan’s default proposals.
pools = ipv4, ipv6

The gateway assigns an IPv4 and and IPv6 virtual IP address from the pools ipv4 and ipv6 pools, respectively. These two pools are defined in a separate pools section. The IPv4 and IPv6 lease ranges are 10.10.1.64/26 and 2a02:168:4407:1::/122, respectively. An internal IPv4 DNS server 10.10.0.1 is defined as well. The assigned virtual IP addresses and internal DNS server information will be sent to the Windows Client via the IKEv2 Configuration Payload (CP).

local.certs = gatewayCert.pem

The X.509 certificate of the VPN gateway is stored in the /etc/swanctl/x509 directory. The matching private key of the VPN gateway can either be of type RSA or ECDSA and is stored in the corresponding subdirectory in /etc/swanctl/.

local.id = vpn.strongswan.org

The IKEv2 ID of the VPN gateway. It must be contained as a subjectAltName in the gateway certificate.

remote.cacerts = strongsecCaCert.der

Any Windows client with a valid X.509 certificate issued by the strongSec CA will be accepted. The CA certificate is stored in the /etc/swanctl/x509ca directory.

children.win.local_ts = 0.0.0.0/0, ::/0

All IPv4 and IPv6 traffic will be tunneled from the Windows client to the strongSwan VPN gateway (no split-tunneling use case).

Single Windows Client

If only a single Windows client is allowed to connect to the strongSwan VPN gateway then the subjectDistinguishedName (DN) of that client can be added as a restriction to the connection definition.

    remote {
      auth = pubkey
      cacerts = strongsecCaCert.der
      id = "C=CH, O=strongSec GmbH, CN=mijas.strongsec.com"
    }