VPN using OpenWRT and Windows built-in client.
I set up myself, my friend and my parents all with some routers running the OpenWRT firmware so that I could remotely connect to them using SSH. Doing so allowed me to set up tunnels for VNC and remote into their computers to provide tech support.
Recently I decided to look into setting up VPN access using Strongswan. This setup would allow me to more easily access their network and remote into their desktops. There would be no need to mess around with SSH tunnels. The reason for using Strongswan over OpenVPN was so that I could use the built-in windows VPN client rather than have to download a special client.
I was able to get Strongswan installed and running successfully by following the IPsec Modern IKEv2 Road-Warrior Configuration guide on the OpenWRT website. Initial testing was completed with my phone and worked perfectly.
I then moved on to testing the Windows 10 client using my laptop. Unfortunately the test was unsuccessful. Windows reported a Policy match error when trying to connect.
Searching google for this error lead me to the Serverfault post Strongswan IKEv2 vpn on Windows 10 client “policy match error” detailing that this error was likely related to a mismatch in the security parameters.
Possible solutions are to modify the Strongswan configuration to allow the lower security parameters or modify windows to use higher security parameters. I opted to modify windows using the Set-VpnConnectionIpsecConfiguration powershell command. The main change that is necessary is to set the DHGroup to Group 14 (MODP2048). I also set the encryption details to AES256 rather than AES128.
Set-VpnConnectionIPSecConfiguration -ConnectionName $vpn.Name -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -DHGroup Group14 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048
After running the command, I was able to successfully connect to the VPN using the built-in Windows 10 client.