[Swan] ikev2 and win7
Bob Miller
bob at computerisms.ca
Wed May 13 03:42:47 EEST 2015
Thanks Paul,
>> Does anyone have an example config they could share?
>
> Have a look at
>
> https://github.com/libreswan/libreswan/tree/master/testing/pluto/interop-ikev2-strongswan-23-initiator-cp
>
>
> It shows a libreswan-strongswan ikev2 interop. The only difference for
> you is that you'd configure X.509 certificates instead of PSK.
I think I got it figured out. In the hopes it is useful to others, this
is what I did:
conn rw-ikev2
authby=rsasig
leftid=%fromcert
left=199.247.224.49
leftsubnet=0.0.0.0/0
leftcert=thiscert
leftrsasigkey=%cert
rightrsasigkey=%cert
rightid=%fromcert
right=%any
ikev2=insist
narrowing=yes
rightmodecfgclient=yes
rightaddresspool=10.25.0.2-10.25.0.10
modecfgdns1=192.168.169.1
I configured the windows client as per:
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
and I had to redo my certificates as per error 13801 on this page:
http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
It seems that routing is a different game here. the way I used to do it
was set the leftsubnet to be that of the remote network, then use
iptables to do FORWARD between the networks, and then a NAT rule to
allow internet access. I found that using this config, the leftsubnet
*also* has to be set to 0.0.0.0/0 in order to allow internet traffic.
I am not really clear on the narrowing function, I think I need to learn
more on that, but that will be for another day. Thanks again for the
pointer, Paul...
More information about the Swan
mailing list