How to set up a VPN connection in Windows 10 via IKEv2?

M

mphys2022-03-26 16:48:47

linux

mphys, 2022-03-26 16:48:47

I'm a complete layman, I sincerely hope for help in simple words :)

On a remote server with OS Debian, using this guide, using strongSwan, I organized a VPN for myself. Everything works fine on iPhone and Mac, however, to connect with Windows, you need to do some additional manipulations, because it can’t connect either way. Connection errors are different, depending on the settings of the connection being created in Windows.

If you make a connection in the forehead:

like this

then we get a group policy mapping error:

mistake

In the connection properties, you can change the authentication to "Use computer certificates":

vpn settings

it really doesn't change anything.

This strongSwan manual suggests that " By default Windows 7 up to Windows 11 propose only the weak modp1024 Diffie-Hellman key exchange algorithm " and suggests the appropriate setting for ipsec.conf:

ike = 3des-aes128-aes192-aes256-sha1-sha256-sha384-modp1024

The fact that this particular line spoils the raspberries is suggested by colleagues from the comments in the original article on vc.ru:

screenshot of comments

however, it didn't help me :(

From some source that I can't google anymore, I found out that on the computer you need to have a root certificate that I created on a remote server. The certificate was created in * .pem format, install it on Windows, I was only able to rename the file to *.der and double-click on it.I could not create a certificate using pki in a format that Windows would digest by-design.Installing the certificate in the "Trusted Root Certification Authorities" store did not help.

This article from the strongSwan manual suggests that for windows the certificate must be generated with an additional key:
subjectAltName = DNS:<YOUR_VPS_IP>
but alas, this did not help me either.At

the end of the manual already mentioned above there are links, including toConfiguring strongSwan for Windows clients for the case when the Windows client is " Using Passwords with EAP-MSCHAPv2 ", but it suggests configuring the swanctl.conf file, and I already have the configuration in ipsec.conf, to understand how one is related to the other, my qualifications are not enough :(

In general, a rather disparate set of facts looks like this, I really ask for help from the guru.

Why didn't I buy a preconfigured server?

Yes

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

AlexVWill, 2022-03-26
@AlexVWill

The certificate file may have been imported incorrectly.
Here is a 100% working manual, there is a section for Windows (10ki), https://www.digitalocean.com/community/tutorials/h...

E

ewgenc, 2022-03-27
@ewgenc

What didn't suit the outline? It is installed in two clicks, it is convenient to scatter keys over devices.

V

ValdikSS, 2022-03-27
@ValdikSS

Here is my article from 2015, at least at that time, Windows connected to such a server without additional configuration.
https://habr.com/en/post/250859/

C

CityCat4, 2022-03-28
@CityCat4

Here in the comments there is a link to an article that describes the construction of a Windows-Mikrotik and Windows-Linux tunnel. There, the whole problem is basically that you need to generate certificates for each computer and arrange them, and convincing the user to put a certificate in the computer area is another quest. But once you pass it - and everything takes off (if there are no other certificates in the computer area)
Yes, "use computer certificates" is the only working option, and it does not require any shamanistic actions with the case.