Tag: vpn

BLACK CAT PROGRAMMER
by blackcat
Posted on

Connecting to OpenSwan VPN in Windows

Environment

A ipsec VPN was setup in a raspberry pi with OpenSwan.

Steps

Adding Server CA Certificate

  1. Download the server CA
  2. Import the server CA
    Start -> run -> enter “mmc”
  3. Add new snap
  4. Select Certificate on left menu and then click the Add button on the middle
  5. Select computer account**
    1. The popup may not appear and the cert will be imported to current user by default. The cert must be imported to local computer
    2. to do so. Start -> enter cmd
    3. Run the cmd with administrator
    4. enter certlm.msc
    5. go to step 8
  6. Select Local computer, them click finish button
  7. After clicking finish button, the popup window will be closed
  8. Back mmc Console window, there will be a new item Certificates on left menu
  9. Unfold Certificates -> Trusted Root Certification Authorities
  10. Right click on Certificates and click on All Tasks -> Import …
  11. A new window will be popped up. Select Local Machine if required
  12. Select the CA certificate just downloaded
  13. Once the CA certificate is added, it will appear under Trusted Root Certification Authorities
  14. Close mmc window without save
  15. Done

Adding VPN

  1. Open VPN setting by entering “vpn settings” start
  2. Click on “Add a VPN connection”
  3. Enter the form

    – Connection name is the name for you to identify the VPN
    – Server name or address: enter the domain or IP of the VPN server
    – VPN type: select IKEv2
    – Type of sign-in info: Select the appropriate sign in info
    – User name: VPN account name
    – Password: VPN account password
  4. Then back to VPN setting windows, click on “Change adapter options”
  5. On the new window, right click on the newly created VPN icon. Then click on “Properties”
  6. On security tab, config as following
  7. The other settings can be kept untouched
  8. Click Ok to close the window
  9. Done

Connect to VPN

  1. On VPN settings page, select the VPN
  2. Click on the Connect button

Common problems

parameter is incorrect

Solution: Reset and clear networking caches
Run windows cmd window (click windows start menu, type ‘cmd’, right click on ‘Command Prompt’ and select “Run as Administrator”).

type command below
netsh int ip reset
netsh int ipv6 reset
netsh winsock reset

Restart your computer.

Reset Device Manager adaptors
1. Open Device Manager
2. Find Network Adapters
3. Uninstall WAN Miniport drivers (IKEv2, IP, IPv6, etc)
4. Click Action > Scan for hardware changes
5. The adapters you just uninstalled should come back

Posted in notes, vpnTagged , ,
by blackcat
Posted on

Adding routing rule on macOS

After setting up StrongSwan, everything should be done, ie you can connect to the vpn server and the subnet behind. However, in some circumstance, the local subnet mask cover the remote subnet, ie the remote subnet is 192.168.55.0/24, while the local subnet is 192.168.0.0/32.

In this case, the packet which is intended go to remote 192.168.55.1 will go to local gateway. Therefore, we have to add a custom routing rule on the local 

mac os

  • First list the current routing tables by netstat -nr
  • Remove the existing one if any route delete 192.168.55.0/24
  • Add a new rule to route the traffic to vpn server route add 192.168.55.0/24 10.10.10.1 where 10.10.10.1 is the vpn gateway
Posted in notesTagged
by blackcat
Posted on

VPN server IP changed

平常家的ip 十年都唔轉一次,上次被大陸ban 了ip ,打電話去CS,都改不了,最後要改了router 的 mac address。但今次就無啦啦轉了一個新的IP ,令到早前set 好的vpn server 用不了。

如果IP 轉了,需要改一下conf, secret 和重新 issue 條cert

  1. 改了 /etc/ipsec.conf 的 leftid
  2. 改了 /etc/ipsec.secrets 的 ip
  3. 重新issue server cert
$sudo ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert server-root-ca.pem \
--cakey server-root-key.pem \
--dn "C=US, O=VPN Server, CN=server_ip" \
--san server_ip \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem

不過要用回之前的 server-root-ca.pemserver-root-key.pemvpn-server-key.pem,不然就要重新弄過了

$ sudo cp ./vpn-server-cert.pem /etc/ipsec.d/certs/vpn-server-cert.pem
Posted in notesTagged