IPSec VPN between Linux and Windows 2012

I had to connect a Windows 2012 machine machine behind NAT to a CentOS 7 ipsec gateway with libreswan. No l2tp, just plain IPSec.
The windows machine itself was not a gateway, it was connected “alone”. So in my case there was no need for using RRAS.
I found it difficult to find some coherent documentation about this subject on the net, so I would like to point out that this vpn connection can be done. What I really missed was some debugging function on Windows. I remember in the old days of Windows 2000 there was a registry key to enable isakmp debugging, but I did not find something like that today.
Anyway, on Linux the ipsec.conf section is:

conn test
    # The Windows box is behind NAT. UDP ports 500 and 4500 are forwarded
    # from to, which is the real IP address of the machine.
    # The Windows box issues it's real IP as its ID.

Remember to use the IDs, and, in ipsec.secrets to identify the shared secret to use.

On Windows, open Windows Firewall with Advanced Security.
Create a Custom rule, use as endpoint 1 and as endpoint 2.
Select Require authentication for inbound and outbound connections;
selct Advanced for authentication, and insert the preshared key.
Last, in the Advanced tab, select Ipsec tunneling, check Use ipsec tunneling, and enter the remote tunnel endpoint, in my case

Finally, I had to create an Inbound and an Outbound firewall rule, inserting the two endponts and in the Scope tab. I had to select Allow the connection as the Action in the General tab.
Honestly, I thought that selecting “Allow the connection if it is secure” could be enough, since the connection comes through IPSec, but it’s not. Maybe this has something to do with the fact that my Windows 2012 box is not acting as a gateway.

Another note worth mentioning: after some months, I had to change the gateway IP on the Linux side, which is referred as in the example above. In my case, on Windows, only editing the connection properties and changing the address was not enough: the connection was not going to be activated, and I did not see it in Monitoring – Connection Security Rules. I had to delete and re-create it from scratch. Disabling/reenabling did not work for me.

This maybe can similarly impact rules edited in other properties: if you see your rule do not compare in Connection Security Rules, try to delete and reinsert it.

Comments are closed.