IPSec VPN Windows 10 Client Not Working - SOLVED

After 3 days of banging my head against the keyboard, I finally came up with a solution that allows my Windows 10 Professional built-in VPN client to connect to my Linux IPSec VPN server using EAP and MSCHAPv2.

I will try and detail all troubleshooting steps and errors encountered, so hopefully I can save other people some time and aggravation.

I'm sure this is not the optimal, or possibly even most secure solution, but it does connect.

Client: Windows 10 Pro 22H2 19045.3208 Server: Ubuntu with Linux Libreswan 4.6 (XFRM)

I pointed an FQDN to the IP address of my router, and then am doing port forwarding of the UDP IPSec ports. On the Ubuntu server, I made the FQDN the hostname of the machine, but locally I have it resolve to the internal IP address.

For certificates, I am using self-signed ones, which require a few extra steps on the client to get them registered.

I put the P.12 certificate on the client as well, although I'm not sure it's necessary.

https://wiki.strongswan.org/issues/2613 https://docs.strongswan.org/docs/5.9/interop/windowsCaCert.html https://docs.strongswan.org/docs/5.9/interop/windowsMachineCert.html

pki --gen --type rsa --size 4096 --outform pem > caKey.pem

pki --self --ca --lifetime 3650 --in caKey.pem --type rsa --dn "C=CA, O=VPN Server 13801, CN=VPN Server Root CA 13801" --outform pem > caCert.pem

pki --gen --type rsa --size 4096 --outform pem > serverKey.pem

pki --pub --in serverKey.pem --type rsa | pki --issue --lifetime 3650 --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=VPN Server 13801, CN=fqdn.server.com" --san="fqdn.server.com" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem

pki --gen --outform pem > clientKey.pem

pki --pub --in clientKey.pem --type rsa | pki --issue --lifetime 3650 --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=VPN Server 13801, CN=fqdn.server.com" --san="fqdn.server.com" --outform pem > clientCert.pem

openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "Server VPN Root CA 13801" -out clientCert.p12

cp serverCert.pem /etc/ipsec.d/certs/
cp caCert.pem /etc/ipsec.d/cacerts/
cp caKey.pem serverKey.pem /etc/ipsec.d/private/

ipsec.conf

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
    uniqueids=no

conn %default
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    reauth=no
    mobike=yes

conn ikev2-vpn
    auto=add
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
    leftcert=serverCert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.0.0.90
    rightdns=10.0.0.1
    rightsendcert=never
    eap_identity=%any
    leftauth=pubkey
    esp=aes256gcm16
    ike=aes256-sha256-modp2048!

I haven't trimmed this down, but it works. So one of the combinations must be correct. Remember to add a line for serverKey.pem in the file.

ipsec.secrets

vpnusername : EAP "password"
: RSA "serverKey.pem"
vpnusername %identity% : EAP "password"
vpnusername %any% : EAP "password"
vpnusername %any : EAP "password"
%any : EAP "password"

I also did some registry changes to Windows found throughout various forums to ignore IKE names, update the key exchange algorithms, etc.....I cannot confirm if they had any effect on this config.