0

I’m trying to setup a IPSec/IKEv2 VPN Server for roadwarriors on my EdgeRouter 6P which has Linux Strongswan 5.6.3 on board, with Active Directory CA as TRUSTED ROOT CA and Microsoft NPS as Radius for authentication, both installed on Domain Controller with a FQDN.

In the last few days I’ve collected some information about the procedure, I’ll leave the links I found at the end of this post, and I have now some guidelines for the tunnel configuration, but my biggest concern is about certificates; I have to stick to our enterprise CA for a centralized management.

I understood that I need a trusted CA which will sign VPN server and client certificates and its (CA) certificate must be installed on clients keychain. I have AD CA installed on my Domain Controller and I have a few questions:

  • I’ve followed a tutorial regarding the creation of IPSEC certificate template under the AD CA, but I’m not completely sure about the parameters, since I could not find a guide involving Microsoft IPSEC certificates for Strongswan.
  • I see different file extentions types, like .cert .pem .p12 ecc.. which one should I use?
  • AD CA will wait for a certificate request and then deploy? Or I have to create client and server certificates from the AD CA Windows Server interface?
  • Some tutorial explain that must be created a certificate for each client, others create just one certificate for the server... so what are all possible ways of authentication?

I’m pretty much confused, as you can see, about certificates deploy and I could not find any explaination about Strongswan related to Microsoft AD CA

It would be great to find someone who can explain the concepts Im lacking about certificate types and different CA, and clarify this procedure part for strongswan.

Thank you in advance!

Road Warrior IKEv2 VPN Server

Road Warrior VPN (IPSEC, Win7+ out-of-box)

Road Warrior IPsec VPN (IKEv2, Win7/MacOS/iOS)

IKEv2 Setup guide on the edgerouters

How to install IKEv2 VPN server on EdgeRouter or VyOS

IKEv2 VPN Server with an Edgerouter

How Can I Obtain A Certificate From A Windows Certificate Authority (CA)?

Legacy strongSwan Configuration

eric_
  • 1
  • 1

1 Answers1

0

Here are my thought on this: Microsoft CA is perfectly fine for issuing IPsec Certificates. You can just prepare a template and make the road warriors automatically get de issued certificates deployed on their Windows machine via Group policy when they are in the office.

In this case the file extension is also something to ignore. In case you are dealing with a Linux/Unix Environment I'd always suggest using the PEM format (Base64 encoded Certificate information. The one with the BEGIN and END CERTIFICATE on top and bottom)
DER Format, also works on Linux/Unix but Its much harder so spot formatting issues while taking a look at it in a text editor.
So please, let us all not mix up file extension (something you could completely ignore under Linux/Unix) and the containing File Structure/Format.

The Creation of Certificates with the Microsoft CA can be done, as described before via templates and be automated for windows, or can be done manually in de mmc or over a Web interface (https://server.name.tld/certsrv/ best to use IE for that...), where you could just throw in your server side generated CSR and, in return, get a fresh Certificate signed by your own CA.

Generating One Certificate per user is always recommend in case one Laptop gets lost/stolen. Then You'd only have to revoke, and reissue one certificate for one user.
Imagine if every user got the same certificate, and one losses his device. You'd have to hand a new certificate to each road warrior in order to restore the same level of security again.
So, no. One Certificate for all users is not a good idea!

The only thing I don't know by mind is if IPsec requires any special certificate extension, or if any Certificate will fit. But I think not. AFAIK A normal Server certificates and user certificates work fine.

Daywalker
  • 495
  • 5
  • 25