IPSec VPN between Linux and Windows 2012

I had to connect a Windows 2012 machine machine behind NAT to a CentOS 7 ipsec gateway with libreswan. No l2tp, just plain IPSec.
The windows machine itself was not a gateway, it was connected “alone”. So in my case there was no need for using RRAS.
I found it difficult to find some coherent documentation about this subject on the net, so I would like to point out that this vpn connection can be done. What I really missed was some debugging function on Windows. I remember in the old days of Windows 2000 there was a registry key to enable isakmp debugging, but I did not find something like that today.
Anyway, on Linux the ipsec.conf section is:

conn test
    left=1.2.3.4
    leftsubnet=172.16.0.0/16
    leftsourceip=172.16.20.254
    leftid=1.2.3.4
    right=5.6.7.8
    # The Windows box is behind NAT. UDP ports 500 and 4500 are forwarded
    # from 5.6.7.8 to 172.25.35.45, which is the real IP address of the machine.
    rightsubnet=172.25.35.45/32
    # The Windows box issues it's real IP as its ID.
    rightid=172.25.35.45
    auto=start
    keyexchange=ike
    authby=secret
    compress=no
    phase2=esp
    pfs=no
    ikelifetime=28800s
    salifetime=3600s

Remember to use the IDs, 1.2.3.4 and 172.25.35.45, in ipsec.secrets to identify the shared secret to use.

On Windows, open Windows Firewall with Advanced Security.
Create a Custom rule, use 172.25.35.45/32 as endpoint 1 and 172.16.0.0/16 as endpoint 2.
Select Require authentication for inbound and outbound connections;
selct Advanced for authentication, and insert the preshared key.
Last, in the Advanced tab, select Ipsec tunneling, check Use ipsec tunneling, and enter the remote tunnel endpoint, in my case 1.2.3.4.

Finally, I had to create an Inbound and an Outbound firewall rule, inserting the two endponts 172.25.35.45 and 172.16.0.0/16 in the Scope tab. I had to select Allow the connection as the Action in the General tab.
Honestly, I thought that selecting “Allow the connection if it is secure” could be enough, since the connection comes through IPSec, but it’s not. Maybe this has something to do with the fact that my Windows 2012 box is not acting as a gateway.

Another note worth mentioning: after some months, I had to change the gateway IP on the Linux side, which is referred as 1.2.3.4 in the example above. In my case, on Windows, only editing the connection properties and changing the address was not enough: the connection was not going to be activated, and I did not see it in Monitoring – Connection Security Rules. I had to delete and re-create it from scratch. Disabling/reenabling did not work for me.

This maybe can similarly impact rules edited in other properties: if you see your rule do not compare in Connection Security Rules, try to delete and reinsert it.

Comments are closed.