ISAKMPD using X509 certificates

Juan Vera <juan at coredump com ar>

This is an attempt to explain how to configure isakmpd(8) using X509 certificates for authorizations. Sample configs for OpenBSD and MS Windows 2000 are provided, a script for generating propper certificates using openssl(1) is provided as well.

It is intended for this little document to be as much cut & paste friendly as possible, changes pointing to that are more than welcome. Corrections to my english and/or mispellings and/or errors are welcome too.

The idea

Allow mobile users (ie. those with dynamic ip address) to join a VPN, using if possible free software. Something simpler that PGPNET would be nice to reduce calls for help from users and probably would result on me not having to write much documentation for them.

Some details

Road Warriors will use MS Windows 2000 as their desktop platforms, probably from adsl links. Native Windows IPSEC does not like dynamic ip addresses.

Road Warriors are required to have a direct Internet connection, ie NAT'ed users won't be able to join the VPN.

We will use UFQDN (User Fully Qualified Domain Names) to do the authorizations both for Road Warrios and for the gateway.

Windows side was covered using the ipsec.exe tool from Marcus Müller (http://vpn.ebootis.de/). Source code is provided for ipsec.exe but please note that it is licensed as this, acording to the site:

I supply the ipsec.exe under GPL (GnuPublicLicense).

If someone develops tools based on my source code he might do so, when he is:

·        Offering this code under GPL
·        Sending me copies of his modifications
·        Delivering my source code together with his additions

While ipsec.exe supports both Windows 2000 and XP, no tests where done with Windows XP.

Security Gateway is an OpenBSD box running last -release (3.2 today) with port 500/udp open to the world.

Gray boxes with <PRE> data betwen them idea was taken from OpenBSD FAQ web page, in case it is not BSD licensed I will change colour to some degree of yellow.

Options, tools and sample configs where grabbed from lots of places. Check Links.

Conventions

Do this replaces if doing copy & paste, repecting order:

ENTERPRISE.COM -> your internet domain, maybe a fantasy name
ENTERPRISE -> your company name
10.10.10.1 -> your gateway internet address

'gateway' refers to your machine on the Internet where isakmpd(8) is running.

The UNIX side

I will not go on details. There are enougth man (ipsec(4), vpn(8), isakmpd(8)) and web pages (OpenBSD FAQ, Others, Others, Others) for you to read in case you care or need.

Setting the maximun number of conectionts (states) that pf(4) allows to isakmpd(8) is not a bad idea.

# DO NOT SKIP THIS
Edit /etc/ssl/openssl.conf and setup defaults for Country Name, State or Province, etc. It is important to do this because you will be asked the same questions over and over for every certificate you create and in case of differences authorization will fail.
# DO NOT SKIP THIS

Copy this script to /etc/isakmpd and name it 'setup-ike-pki' or the name you like more:

#!/bin/ksh 
#
# Generate Certificates to be used with ISAKMPD 
# will create the CA certs if needed.
# 
# point this files to yours if you have them (ie CA setup is already done)
# names are self explanatory
CA_KEY=/etc/isakmpd/private/ca.key
CA_CRT=/etc/isakmpd/ca/ca.crt
CA_CSR=/etc/isakmpd/private/ca.csr
# CA_HOLDER is the ufqdn of the gateway
CA_HOLDER=ca@ENTERPRISE.COM

POLICY=/etc/isakmpd/isakmpd.policy

# you may need to change this if you changed something above
cd /etc/isakmpd
# directories to store client certificates
mkdir -p certs pkcs12

#############################################################
# - Create your own CA as root.
test ! -f $CA_KEY && ( echo 
cat - <<_eof

CA FILE ABSENT, GENERATING A NEW CA CERTIFICATE
	
Press Control-C if you did not configured /etc/ssl/openssl.conf yes.
or press Enter to continue.

_eof
read nothing

openssl genrsa -out $CA_KEY 1024

)
# cert request
test ! -f $CA_CSR && openssl req -new -key $CA_KEY \
         -out $CA_CSR

#############################################################
# - Cert sign request
#  CA must expire after client certs or windows will complain
test ! -f $CA_CRT && openssl x509 -req -days 1460 -in $CA_CSR \
         -signkey $CA_KEY \
         -out $CA_CRT

#############################################################
# - Inform CA Subject all the times
ca_subject=`openssl x509 -in $CA_CRT -noout -subject`

cat - <<_eof

PLEASE NOTE THE CA SUBJECT
(obtain it again with: openssl x509 -in $CA_CRT -noout -subject)

  $ca_subject

_eof

while :
do
cat - <<_eof

GENERATE CLIENT CERTIFICATES

Note: use mail address as "Common Name".

_eof
#############################################################
# - Inform about CA holder (Gateway Cert)
# 
test ! -f "/etc/isakmpd/private/$CA_HOLDER.key" && (
cat - <<_eof

CA HOLDER CERTIFICATE IS ABSCENT, CREATE IT FIRST.

_eof
echo "Type '$CA_HOLDER', to create CA holder certificate."
)

#############################################################
# - Create keys and certificates for your isakmpd peers.

echo -n "New UFQDN certificate (fmt: user@domain): "
read new_cert

openssl genrsa -out /etc/isakmpd/private/${new_cert}.key 1024

openssl req -new -key /etc/isakmpd/private/${new_cert}.key \
         -out /etc/isakmpd/private/${new_cert}.csr

#############################################################
# - Now take these certificate signing requests to your CA and
#   process them like below.

openssl x509 -req -days 365 -in /etc/isakmpd/private/${new_cert}.csr \
         -CA $CA_CRT \
         -CAkey $CA_KEY -CAcreateserial \
         -out /etc/isakmpd/certs/${new_cert}.crt

#############################################################
# - Include alt name

certpatch -t ufqdn -i ${new_cert} -k $CA_KEY \
        /etc/isakmpd/certs/${new_cert}.crt /etc/isakmpd/certs/${new_cert}.crt

#############################################################
# - Append user to policy file

new_cert_subject=`openssl x509 -in /etc/isakmpd/certs/${new_cert}.crt | \
       -noout -subject | sed -e 's@^subject= @@g'`

cat >> $POLICY <<_eof
# --- ${new_cert} ---
authorizer: "${new_cert}"
licensees:"DN:${new_cert_subject}"
conditions: remote_id_type =="ASN1 DN" &&
            remote_id =="${new_cert_subject}" -> "true";

_eof

#############################################################
# win export
cat - <<_eof

Exporting PKCS12 certificate for ${new_cert}

_eof
openssl pkcs12 -export -in /etc/isakmpd/certs/${new_cert}.crt \
        -out  /etc/isakmpd/pkcs12/${new_cert}.p12      \
        -certfile  /etc/isakmpd/certs/${new_cert}.crt \
        -inkey /etc/isakmpd/private/${new_cert}.key

cat - <<_eof

Certificate for ${new_cert}:
	/etc/isakmpd/pkcs12/${new_cert}.p12     

Press Control-C to finish.

_eof

chmod -R og-rwx .                      # keep isakmpd happy 
done
#############################################################

>Download setup-ike-pki.gz

In case you already have a Certificate Authority (CA) setup copy the script to the propper box and fix it as needed.

setup-ike-pki will also append the propper entry on policy file.

Remember to chmod +x setup-ike-pki.

A sample session follows; as it is a first time session creating of CA is show. Sucesive calls to this script will start
from the section labeled "GENERATE CLIENT CERTIFICATES". Human input is in italics. Default values
are from /etc/ssl/openssl.conf. Three user certificates are created: ca@ENTERPRISE.COM for the gateway,
juan@ENTERPRISE.COM for my imaginary user and workst1@ENTERPRISE.COM for the imaginary
workstation number 1.

sanpedro:/etc/isakmpd{1}# ./setup-ike-pki


CA FILE ABSENT, GENERATING A NEW CA CERTIFICATE

Press Control-C if you did not configured /etc/ssl/openssl.conf yet.
or press Enter to continue.


Generating RSA private key, 1024 bit long modulus
....++++++
................................++++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AR]:                 <-- Press enter for accept defaults
State or Province Name (full name) [Buenos Aires]: <-- dito
Locality Name (eg, city) [Buenos Aires]:           <-- dito      
Organization Name (eg, company) [ENTERPRISE]:      <-- dito
Organizational Unit Name (eg, section) [VPN Auth]: <-- dito
Common Name (eg, fully qualified host name) []:ENTERPRISE CA
Email Address []:                                  <-- leave blank, see later

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signature ok
subject=/C=AR/ST=Buenos Aires/L=Buenos Aires/O=ENTERPRISE/OU=VPN Auth/CN=ENTERPRISE CA
Getting Private key

PLEASE NOTE THE CA SUBJECT
(obtain it again with: openssl x509 -in /etc/isakmpd/ca/ca.crt -noout -subject)

  subject= /C=AR/ST=Buenos Aires/L=Buenos Aires/O=ENTERPRISE/OU=VPN Auth/CN=ENTERPRISE CA


GENERATE CLIENT CERTIFICATES

Note: use mail address as "Common Name".


CA HOLDER CERTIFICATE IS ABSCENT, CREATE IT FIRST.

Type 'ca@ENTERPRISE.COM', to create CA holder certificate.
New UFQDN certificate (fmt: user@domain): ca@ENTERPRISE.COM   <-- if you choose to not to use 'ca@' change other files as well
Generating RSA private key, 1024 bit long modulus
..........................................................++++++
.........++++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AR]:
State or Province Name (full name) [Buenos Aires]:
Locality Name (eg, city) [Buenos Aires]:
Organization Name (eg, company) [ENTERPRISE]:
Organizational Unit Name (eg, section) [VPN Auth]:
Common Name (eg, fully qualified host name) []:ca@ENTERPRISE.COM <-- same as entered at first
Email Address []:   <-- this field is optional and have no connection with authentication

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signature ok
subject=/C=AR/ST=Buenos Aires/L=Buenos Aires/O=ENTERPRISE/OU=VPN Auth/CN=ca@ENTERPRISE.COM
Getting CA Private Key
Reading ssleay created certificate /etc/isakmpd/certs/ca@ENTERPRISE.COM.crt and modify it
Creating Signature: PKEY_TYPE = RSA: X509_sign: 128 OKAY
Writing new certificate to /etc/isakmpd/certs/ca@ENTERPRISE.COM.crt

Exporting PKCS12 certificate for ca@ENTERPRISE.COM

Enter Export Password:             <-- type password here
Verifying - Enter Export Password: <-- repeat

Certificate for ca@ENTERPRISE.COM:
        /etc/isakmpd/pkcs12/ca@ENTERPRISE.COM.p12

Press Control-C to finish.


GENERATE CLIENT CERTIFICATES

Note: use mail address as "Common Name".

New UFQDN certificate (fmt: user@domain): juan@ENTERPRISE.COM
Generating RSA private key, 1024 bit long modulus
.............++++++
.........................++++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AR]:
State or Province Name (full name) [Buenos Aires]:
Locality Name (eg, city) [Buenos Aires]:
Organization Name (eg, company) [ENTERPRISE]:
Organizational Unit Name (eg, section) [VPN Auth]:
Common Name (eg, fully qualified host name) []:juan@ENTERPRISE.COM
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signature ok
subject=/C=AR/ST=Buenos Aires/L=Buenos Aires/O=ENTERPRISE/OU=VPN Auth/CN=juan@ENTERPRISE.COM
Getting CA Private Key
Reading ssleay created certificate /etc/isakmpd/certs/juan@ENTERPRISE.COM.crt and modify it
Creating Signature: PKEY_TYPE = RSA: X509_sign: 128 OKAY
Writing new certificate to /etc/isakmpd/certs/juan@ENTERPRISE.COM.crt

Exporting PKCS12 certificate for juan@ENTERPRISE.COM

Enter Export Password:              <-- type PKCS12 password here (ie for Windows import)
Verifying - Enter Export Password:  <-- repeat

Certificate for juan@ENTERPRISE.COM:
        /etc/isakmpd/pkcs12/juan@ENTERPRISE.COM.p12

Press Control-C to finish.


GENERATE CLIENT CERTIFICATES

Note: use mail address as "Common Name".

New UFQDN certificate (fmt: user@domain): workst1@ENTERPRISE.COM
Generating RSA private key, 1024 bit long modulus
................++++++
........++++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AR]:
State or Province Name (full name) [Buenos Aires]:
Locality Name (eg, city) [Buenos Aires]:
Organization Name (eg, company) [ENTERPRISE]:
Organizational Unit Name (eg, section) [VPN Auth]:
Common Name (eg, fully qualified host name) []:workst1@ENTERPRISE.COM
Email Address []:  <-- again, this field is not necesary, leave it blank

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signature ok
subject=/C=AR/ST=Buenos Aires/L=Buenos Aires/O=ENTERPRISE/OU=VPN Auth/CN=workst1@ENTERPRISE.COM
Getting CA Private Key
Reading ssleay created certificate /etc/isakmpd/certs/workst1@ENTERPRISE.COM.crt and modify it
Creating Signature: PKEY_TYPE = RSA: X509_sign: 128 OKAY
Writing new certificate to /etc/isakmpd/certs/workst1@ENTERPRISE.COM.crt

Exporting PKCS12 certificate for workst1@ENTERPRISE.COM

Enter Export Password:
Verifying - Enter Export Password:

Certificate for workst1@ENTERPRISE.COM:
        /etc/isakmpd/pkcs12/workst1@ENTERPRISE.COM.p12

Press Control-C to finish.


GENERATE CLIENT CERTIFICATES

Note: use mail address as "Common Name".

New UFQDN certificate (fmt: user@domain): ^C
sanpedro:/etc/isakmpd{2}# ^D

Remember: these certificates are changed with certpatch(8) that will include a
new field that isakmpd(8) needs. In order to have shorter DNs for users
I did not included Email Address while generating the certs.

Experiment with setup-ike-pki two or three times before doing anything else.

isakmpd(8) configuration file

Copy the following to /etc/isakmpd/isakmpd.conf.

Change Local-Address and Network and Netmask and Name to fit your setup.

# Security Gateway ISAKMPd config
#
###################################################
# Global options
[General]
Retransmits=            5
Exchange-max-time=      120
Check-interval=         60

# X.509 certificate locations
[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/ca@ENTERPRISE.COM.key

# IKE Phase 1 & 2
[Phase 1]
Default=                Client-phase1

[Phase 2]
Passive-Connections=    Client-phase2

# Clients, phase 1 and 2
[Client-phase1]
Phase=                  1
Transport=              udp
# internet address for this gateway
Local-address=          10.10.10.1
Configuration=          Default-main-mode
ID=                     My-ID

[My-ID]
ID-type=                USER_FQDN
# this is the certificate for this gateway
Name=                   ca@ENTERPRISE.COM

[Client-phase2]
Phase=                  2
Local-ID=               All-networks
Remote-ID=              Unknown-address

# Network details
[All-networks]
ID-Type=                IPV4_ADDR_SUBNET
Network=                192.168.0.0
Netmask=                255.255.0.0

[Unknown-address]
ID-Type=                IPV4_ADDR
Address=                0.0.0.0

###################################################

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA-RSA_SIG


# Encryption/Authentication suite definitions

[3DES-SHA-RSA_SIG]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  RSA_SIG
ENCAPSULATION_MODE=     TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_SHA

# End

Sample isakmpd(8) policy file

Copy the following to /etc/isakmpd/isakmpd.policy and deny all rights for all users except root:

KeyNote-Version: 2 Authorizer: "POLICY" licensees: "DN:/C=AR/ST=Buenos Aires/L=Buenos Aires/O=ENTERPRISE/OU=ENTERPRISE CA" # Conditions shared for all users conditions: app_domain =="IPsec policy" && esp_present =="yes" && esp_enc_alg !="null" -> "true"; ###################################################### #### ALLOWED USER CERTIFICATES #authorizer: "juan@ENTERPRISE.COM" #licensees:"DN:/C=AR/ST=Buenos Aires/L=Buenos Aires/O=ENTERPRISE/OU=ENTERPRISE CA/CN=juan@ENTERPRISE.COM" #conditions: remote_id_type =="ASN1 DN" && # remote_id =="/C=AR/ST=Buenos Aires/L=Buenos Aires/O=ENTERPRISE/OU=ENTERPRISE CA/CN=juan@ENTERPRISE.COM" -> "true";

Commented record is just as an example and maybe ommited. You need to change first licensees entry to fit your setup.
It is CA Subject, and will allow every certificate that matches, and is listed bellow.

setup-ike-pki will append records for users to this file.

PLEASE use copy and paste to handle this values as simple mispellings will result on failed
authorizations that could be hard to trace on the ~4k debug output lines from isakmpd(8).

The Windows side

Go now to http://vpn.ebootis.de and read all in there. Download the tools offered there and the one
from MS. Links are provided bellow for faster implementation but you are expected to read the
info there to understand how things on Windows side work.

ipsec.exe tool zip package.
MS ipsecpol.exe download page on Microsoft.

Download and unzip ipsec.exe. Install it somewhere in the root directory of C:\ (not mandatory),
say C:\VPN.

The configuration file for the ipsec.exe tool follows, check on the http://vpn.ebootis.de for
more options. While may be obvious, this is a DOS formated file, I don't know if a UNIX formated
file would work, experiment or be sure to respect DOS format. Also, options for any conn are
tab spaced.

rightca is not the same value entered on remote_id field on isakmpd.policy(5) file, but it is
the CA Subject with slashes changed to commas. See above for details obtaining it.

Again, use copy & paste to fill these values.

right is the same as Local-address and rightsubnet is the same as Network on isakmpd.conf(5).

Note that this file is the same for all the Road Warriors, ie no personal or individual data is included;
so write this file once and save it somewhere on the /etc/isakmpd directory to have it forever.

# Uncomment this if you need to dial to get Internet access. #conn %default # dial=My ISP link # this entry is to establish a flow between the gateway and # this machine conn Gateway left=%any right=10.10.10.1 rightca="C=AR,ST=Buenos Aires,L=Buenos Aires,O=ENTERPRISE,OU=ENTERPRISE CA,CN=ENTERPRISE CA" network=lan auto=start pfs=no authmode=SHA # this entry is to establish a flow between the remote network # and this machine. conn Network left=%any right=10.10.10.1 rightsubnet=192.168.0.0/255.255.0.0 rightca="C=AR,ST=Buenos Aires,L=Buenos Aires,O=ENTERPRISE,OU=ENTERPRISE CA,CN=ENTERPRISE CA" network=lan auto=start pfs=no authmode=SHA

Create and copy User Certificates to Windows box

Copy ca.crt (/etc/isakmpd/ca/ca.crt) and PKCS12 user certificate (ie /etc/isakmpd/pkcs12/juan@ENTERPRISE.COM.p12)
to Windows, after running setup-ike-pki. Handle this files as binary data and protect them as they are keys to enter your
VPN, a well choosen Export Password is apropiate.

Create a IPSEC + Certificates MMC

(taken from Nate Carlson's page, see Links; an MMC already done is available to download)

Start/Run/MMC
File (or Console) - Add/Remove Snap-in
Click on 'Add'
Click on 'Certificates', then 'Add'
Select 'Computer Account', and 'Next'.
Select 'Local computer', and 'Finish'.
Click on 'IP Security Policy Management', and 'Add'.
Select 'Local Computer', and 'Finish'
Click 'Close' then 'OK'

>Download certificates.msc

Add the certificates

(partially taken from Nate Carlson's page)

Double-click MMC created before or certificates.msc.

Click the plus arrow by Trusted Root Certification Authorities. Right-click Certificates,
and click All tasks then Import. Click Next, Type path to the CA.crt file (or browse
and select the file), go with Next until Import was successful message appears.

Click the plus arrow by Certificates (Local Computer)
Right-click Personal, and click All Tasks then Import
Click Next, Type in the path to the .p12 file (or browse and select the file), and click 'Next'
Type the export password, and click Next, go with Next until Import was successful message appears.
Click Finish, and say yes to any prompts that pop up.
Exit the MMC, and save it as a file so you don't have to re-add the Snap Ins each time.

C:\VPN\ directory

This is how my C:\VPN directory looks like, after merging ipsec.exe and ipsecpol.exe, CERTS/ contains
CA and user certificates, anyway both may be deleted after import.

KeyNote-Version: 2
C:\VPN>dir
 Volume in drive C is -
 Volume Serial Number is 1234-5678

 Directory of C:\VPN

22/11/2002  07:03p      <DIR>          .
22/11/2002  07:03p      <DIR>          ..
26/11/2002  04:25p             131.072 certificates.msc
22/11/2002  07:04p               1.291 My VPN.lnk
12/01/2003  02:51a                 671 ipsec.conf
11/11/2002  03:21p              61.440 IPSEC.exe
12/01/2003  12:21a             128.000 IPSec.msc
11/11/2002  03:21p              20.659 ipsecpol-d.htm
11/11/2002  03:21p              29.184 IPSECPOL.EXE
11/11/2002  03:21p              12.812 ipsecpol_license.txt
11/11/2002  03:21p              19.968 IPSECUTIL.DLL
11/11/2002  03:21p              20.480 TEXT2POL.DLL
11/11/2002  03:21p               8.333 ToolDownloadReadme.htm
22/11/2002  07:11p      <DIR>          CERTS
              12 File(s)        434.156 bytes
               3 Dir(s)   6.832.439.296 bytes free

C:\VPN>

First run

On gateway run as root: isakmpd -d -DA=99 | tee isakmpd.log

Change to Windows box and Start->Run->ipsecmon->options->and change from 15 to 1 seconds->ok

Open DOS, change to C:\VPN or whereever you installed the things. run: ipsec.exe -debug

C:\VPN>ipsec -debug
IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller
Getting running Config ...
Microsoft's Windows 2000 identified
Debugging on.
Host name is: test_machine
No RAS connections found.
LAN IP address: 10.10.10.31
Setting up IPSec ...

        Deactivating old policy...
        Removing old policy...

Connection Gateway:
        MyTunnel     : 10.10.10.31
        MyNet        : 10.10.10.31/255.255.255.255
        PartnerTunnel: 10.10.10.1
        PartnerNet   : 10.10.10.1/255.255.255.255
        CA (ID)      : C=AR,ST=Buenos Aires,L=Buenos Aires,O=ENTERPRISE,OU=...
        PFS          : n
        Auto         : start
        Auth.Mode    : SHA
        Rekeying     : 3600S/50000K

Command 1: ipsecpol -w REG -p FreeSwan -r Host-Gateway -t 10.10.10.1 -f 192.16
8.22.31/255.255.255.255=10.10.10.1/255.255.255.255 -n ESP[SHA,3DES]3600S/50000
K -a CERT:"C=AR,ST=Buenos Aires,L=Buenos Aires,O=ENTERPRISE,OU=VPN Auth,CN=ENTERPRISE
 CA" -lan > NUL:

Command 2: ipsecpol -w REG -p FreeSwan -r Gateway-Host -t 10.10.10.31 -f 192.1
68.22.1/255.255.255.255=10.10.10.31/255.255.255.255 -n ESP[SHA,3DES]3600S/5000
0K -a CERT:"C=AR,ST=Buenos Aires,L=Buenos Aires,O=ENTERPRISE,OU=VPN Auth,CN=ENTERPRISE
 CA" -lan > NUL:
        Activating policy...

Command 3: ipsecpol -w REG -p FreeSwan -x > NUL:

Connection Network:
        MyTunnel     : 10.10.10.31
        MyNet        : 10.10.10.31/255.255.255.255
        PartnerTunnel: 10.10.10.1
        PartnerNet   : 192.168.0.0/255.255.0.0
        CA (ID)      : C=AR,ST=Buenos Aires,L=Buenos Aires,O=ENTERPRISE,OU=...
        PFS          : n
        Auto         : start
        Auth.Mode    : SHA
        Rekeying     : 3600S/50000K

Command 1: ipsecpol -w REG -p FreeSwan -r Host-Network -t 10.10.10.1 -f 192.16
8.22.31/255.255.255.255=192.168.0.0/255.255.0.0 -n ESP[SHA,3DES]3600S/50000K -a C
ERT:"C=AR,ST=Buenos Aires,L=Buenos Aires,O=ENTERPRISE,OU=VPN Auth,CN=ENTERPRISE CA"
-lan > NUL:

Command 2: ipsecpol -w REG -p FreeSwan -r Network-Host -t 10.10.10.31 -f 10.0.
0.0/255.255.255.0=10.10.10.31/255.255.255.255 -n ESP[SHA,3DES]3600S/50000K -a
CERT:"C=AR,ST=Buenos Aires,L=Buenos Aires,O=ENTERPRISE,OU=VPN Auth,CN=ENTERPRISE CA"
 -lan > NUL:
        Activating policy...

Command 3: ipsecpol -w REG -p FreeSwan -x > NUL:

C:\VPN>ping 192.168.16.17

Pinging 192.168.16.17 with 32 bytes of data:

Reply from 192.168.16.17: bytes=32 time<10ms TTL=254
Reply from 192.168.16.17: bytes=32 time<10ms TTL=254

Ping statistics for 192.168.16.17:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  0ms, Average =  0ms
Control-C
^C
C:\VPN>

If everything works, create a Windows shortcut for both activating (ipsec.exe)and deactivating VPN (ipsec.exe -off).

In case of problems, check isakmpd.log on gateway for errors.

From Nate Carlson's page:

1) Logging on the Windows side (helps troubleshoot certificate errors, etc)

Yes, it is actually possible to enable logging on the Windows box! To do this, follow the directions at Microsoft's
Basic IPSec Troubleshooting in Windows 2000 page -- look for the section entitled 'Obtaining an Oakley Log'.

Obvious Disclaimer

Reading and following all or any of the procedures explained in this document
implies that you accept that I have no responsability if problems appear, that I
have no obligations to give you or anybody else support, help and not even my best
wishes, correct wrong information contained here, etc, etc, etc (where etc is anything
that you may think to relate me to your problems).

Good luck and buy me something with the money you save!

TODO

Handle client certificates revocation list
Script to change needed things (if any) on Windows files, generate client certificates and pack (using zip(1)) giving a thing ready to install on Road Warrior machines. Also allowing to do web export of things encrypting the zip file with GPG or such.