[Swan] ikev2 and win7
Bob Miller
bob at computerisms.ca
Wed May 13 04:02:24 EEST 2015
Hi again,
Does this solve the problem, as xauth does, of multiple clients
connecting from behind the same router?
On 15-05-12 05:42 PM, Bob Miller wrote:
> Thanks Paul,
>
>>> Does anyone have an example config they could share?
>>
>> Have a look at
>>
>> https://github.com/libreswan/libreswan/tree/master/testing/pluto/interop-ikev2-strongswan-23-initiator-cp
>>
>>
>>
>> It shows a libreswan-strongswan ikev2 interop. The only difference for
>> you is that you'd configure X.509 certificates instead of PSK.
>
> I think I got it figured out. In the hopes it is useful to others, this
> is what I did:
>
> conn rw-ikev2
> authby=rsasig
> leftid=%fromcert
> left=199.247.224.49
> leftsubnet=0.0.0.0/0
> leftcert=thiscert
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> rightid=%fromcert
> right=%any
> ikev2=insist
> narrowing=yes
> rightmodecfgclient=yes
> rightaddresspool=10.25.0.2-10.25.0.10
> modecfgdns1=192.168.169.1
>
> I configured the windows client as per:
>
> https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
>
> and I had to redo my certificates as per error 13801 on this page:
>
> http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
>
>
> It seems that routing is a different game here. the way I used to do it
> was set the leftsubnet to be that of the remote network, then use
> iptables to do FORWARD between the networks, and then a NAT rule to
> allow internet access. I found that using this config, the leftsubnet
> *also* has to be set to 0.0.0.0/0 in order to allow internet traffic.
>
> I am not really clear on the narrowing function, I think I need to learn
> more on that, but that will be for another day. Thanks again for the
> pointer, Paul...
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list