Monthly Archives: February 2025

Strongswan with MSCHAPv2 authentication on Debian 12

Posted on by

Introduction

There are many how-tos and guides for setting up strongSwan in different configurations, but it’s easy to waste hours simply because a required package might be missing from your particular Linux distribution.

This guide explains exactly how to install and configure strongSwan with password authentication on Debian 12, with Windows 11 PCs as the clients.

The sources for this guide are mainly the official strongswan documentation and the GitHub project page.

Apt update, upgrade and install

apt-get update && apt upgrade -y && sudo apt install strongswan strongswan-swanctl libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-libcharon libcharon-extra-plugins libcharon-extauth-plugins charon-systemd strongswan-pki libtss2-tcti-tabrmd0 -y

Create a temporary dir for pki

mkdir pki
cd pki

Generate the CA key

pki --gen --type rsa --size 4096 --outform pem > vpnserverCAKey.pem

The corresponding public key is packed into a self-signed CA certificate with a lifetime of 10 years (3652 days) using the pki –self command

pki --self --ca --lifetime 3650 --in vpnserverCAKey.pem --type rsa \
--dn "C=CH, O=MyOrg, CN=MyOrg VPN CA" --outform pem > vpnserverCACert.pem

Create the key for the VPN server

pki --gen --type rsa --size 4096 >  vpnserverKey.der

Create the signing request (note the use of IP – it could also be a domain name)

pki --req --type priv --in vpnserverKey.der \
      --dn "C=CH, O=SR, CN=138.181.122.14" \
      --san 138.181.122.14 --outform pem > vpnserverReq.pem

Create the vpn server cert based on the request

pki --issue --cacert vpnserverCACert.pem --cakey vpnserverCAKey.pem \
        --flag serverAuth --type pkcs10 --in vpnserverReq.pem --serial 01 --lifetime 1826 \
        --outform pem > vpnserverCert.pem

Copy all the certificates and keys to /etc/swanctl

cp vpnserverCACert.pem /etc/swanctl/x509ca
cp vpnserverKey.der /etc/swanctl/rsa
cp vpnserverCert.pem /etc/swanctl/x509

Configure

sudo nano /etc/swanctl/swanctl.conf

Replace the contents with this (insert your own username and password in “secrets”):

connections {
  eap {
    pools = ipv4, ipv6

    local {
      auth = pubkey
      certs = vpnserverCert.pem
      id = 138.181.122.14
    }
    remote {
      auth = eap-mschapv2
      eap_id = %any
    }
    children {
      eap {
        local_ts = 0.0.0.0/0, ::/0
       }
    }
  }
}

pools {
  ipv4 {
    addrs = 10.0.100.64/26
    dns = 10.0.100.1
  }
  ipv6 {
    addrs = 2a02:168:4407:1::/122
  }
}

secrets {
  eap-myuser {
    id = myuser
    secret = mypassword
  }
}

include conf.d/*.conf

Disable unneeded legacy service

systemctl stop strongswan-starter
systemctl disable strongswan-starter

Enable and restart the strongswan service for the changes to take effect

systemctl enable strongswan
sudo systemctl restart strongswan

Check the status for errors

sudo systemctl status strongswan

Windows VPN Client

Copy the CA certificate, vpnserverCACert.pem, from the VPN server to the Windows client and add it to the trusted roots for the computer.
For details on setting up the Windows VPN client, follow the guide on https://docs.strongswan.org/docs/latest/interop/windowsEapConf.html
Remember to set the EAP properties as shown towards the end.

To enhance security, run the following in an elevated prompt:

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters" /v NegotiateDH2048_AES256 /t REG_DWORD /d 2 /f