IPSec VPN set up (Windows)

Solution 1:

Use Windows Firewall's Connection Security Rules to configure IPsec on Windows 7.

Open the Start Menu, search for "Windows Firewall with Advanced Security". Open it. In the left-hand panel, right-click on "Windows Firewall with Advanced Security". Select "Properties". Open the tab labelled "IPsec Settings". Click on "Customize".

In the section labelled "Key exchange (Main Mode)", click "Customize".
Click "Add" and select "MD5" as the integrity algorithm, "AES-CBC 256" for the encryption algorithm, and "Diffie-Hellman Group 2" for the key exchange algorithm. Click "OK". Click "OK".

In the section labelled "Data protection (Quick Mode)", click "Customize".
Check "Require encryption for all connection security rules that use these settings".
Click "Add" and select "ESP", select "MD5" as the integrity algorithm, and select "AES-CBC 256" for the encryption algorithm.
Click "OK". Click "OK". Click "OK". Click "OK".

In the left-hand panel, right-click on "Connection Security Rules". Select "New Rule" Select "Tunnel". Click "Next>". Click "Next>". Click "Next>". Click "Add" and enter $dev_server. Click "OK". Click the upper "Edit" and enter $dev_server. Click on the lower "Edit" and enter $destination_peer. Click "Next>". Select "Advanced" and click "Customize". In the section labelled "First authentication", click "Add". Select "Preshared key". Enter the preshared key. Click "OK". Click "OK". Click "Next>". Click "Next>". Enter a name for the rule. Click "Finish"

EDIT: added steps to configure IPsec.

Solution 2:

alternately, use netsh advfirewall consec add rule from the command line. You get some useful help text when you type just that.

Note that you need the "advanced firewall" that comes with windows 7 professional (I think) and enterprise (I'm sure). I don't think it is part of the "home" edition.

It's a complicated topic, and the answer is going to depend on how the other end of your tunnel is configured. I'm not familiar with OpenBSD's ipsec implementation, but my guess is that you need to do "lan-to-lan" mode on windows, even though one of your endpoints is not a LAN, it's just a single machine. (technically, i guess it's a /32 LAN with one member :)