[Swan] ikev2 and win7

Bob Miller bob at computerisms.ca
Wed May 13 03:42:47 EEST 2015


Thanks Paul,

>> Does anyone have an example config they could share?
>
> Have a look at
>
> https://github.com/libreswan/libreswan/tree/master/testing/pluto/interop-ikev2-strongswan-23-initiator-cp
>
>
> It shows a libreswan-strongswan ikev2 interop. The only difference for
> you is that you'd configure X.509 certificates instead of PSK.

I think I got it figured out.  In the hopes it is useful to others, this 
is what I did:

conn rw-ikev2
    authby=rsasig
    leftid=%fromcert
    left=199.247.224.49
    leftsubnet=0.0.0.0/0
    leftcert=thiscert
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    rightid=%fromcert
    right=%any
    ikev2=insist
    narrowing=yes
    rightmodecfgclient=yes
    rightaddresspool=10.25.0.2-10.25.0.10
    modecfgdns1=192.168.169.1

I configured the windows client as per:

https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config

and I had to redo my certificates as per error 13801 on this page:

http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx

It seems that routing is a different game here.  the way I used to do it 
was set the leftsubnet to be that of the remote network, then use 
iptables to do FORWARD between the networks, and then a NAT rule to 
allow internet access.  I found that using this config, the leftsubnet 
*also* has to be set to 0.0.0.0/0 in order to allow internet traffic.

I am not really clear on the narrowing function, I think I need to learn 
more on that, but that will be for another day.  Thanks again for the 
pointer, Paul...



More information about the Swan mailing list