Paulo Nobre

After setting up openswan on linux server, it’s time to configure a Windows Client to connect using x.509 certificates. This is a short article describing only the high level steps, going into further detail only where it has been more dificult.

The steps described apply to Windows 7. I haven’t tried on any other versions of windows, but at least the registry keys probably changed from older versions.

First we have to import the Client certificate, which was signed by a CA trusted by the server (might even be our own CA, but in that case we must either export the CA certificate together with the client certificate itself or export only the CA certificate and import it into the client). Importing the certificate by double click won’t work. Windows will import your certificate into a “User store” and that won’t work.

Instead open management console (start, run, mmc) and choose File-> Add/Remove snap-in… from the list presented, choose Certificates, and then “Computer Account”, so we can manage certificates globally for this computer and IP Security Policy Management. Now, expand Certificates (Local Computer), right click on Personal and choose All Tasks –> Import. If the CA root certificate was imported together with the Client certificate, move it to Trusted Root Certification Authorities->Certificates.

Now right click on IP Security Policies on Local Computer, and choose Create IP Security Policy. Give it a name and continue to the end, leaving the “Edit Properties” checkbox checked. On the rules tab, select the default IP security rule and click edit. Go to the Authentication Methods tab, remove the kerberos method and click add. Choose “Use a certificate from this certification authority (CA) and browse to your root CA certificate. Press ok a couple of times to close all of the open windows. Right click the policy created and choose assign.

Now, both the server and the client are behind NAT, and that isn’t supported in windows since Windows XP SP2. Microsoft claim’s it’s not secure (LOL). Ok, we believe that, but we need our vpn to be accessible Fire up regedit and go to HLKM\System\CurrentControlSet\services\PolicyAgent and create a 32-bit dword key named AssumeUDPEncapsulationContextOnSendRule. Give it the value 2 (both client and server are behind nat). Google for other values. This same key, with the same value should also be created under HKLM\System\CurrentControlSet\services\IPSec. Reboot. Restarting the policy agent service,  as I’ve seen in some pages, won’t work. Now, hopefully everything works as expected and Windows 7 client behind NAT can connect to openswan, also behind NAT, using certificates.