[Swan] ikev2 and win7

Bob Miller bob at computerisms.ca
Wed May 13 04:02:24 EEST 2015


Hi again,

Does this solve the problem, as xauth does, of multiple clients 
connecting from behind the same router?

On 15-05-12 05:42 PM, Bob Miller wrote:
> Thanks Paul,
>
>>> Does anyone have an example config they could share?
>>
>> Have a look at
>>
>> https://github.com/libreswan/libreswan/tree/master/testing/pluto/interop-ikev2-strongswan-23-initiator-cp
>>
>>
>>
>> It shows a libreswan-strongswan ikev2 interop. The only difference for
>> you is that you'd configure X.509 certificates instead of PSK.
>
> I think I got it figured out.  In the hopes it is useful to others, this
> is what I did:
>
> conn rw-ikev2
>     authby=rsasig
>     leftid=%fromcert
>     left=199.247.224.49
>     leftsubnet=0.0.0.0/0
>     leftcert=thiscert
>     leftrsasigkey=%cert
>     rightrsasigkey=%cert
>     rightid=%fromcert
>     right=%any
>     ikev2=insist
>     narrowing=yes
>     rightmodecfgclient=yes
>     rightaddresspool=10.25.0.2-10.25.0.10
>     modecfgdns1=192.168.169.1
>
> I configured the windows client as per:
>
> https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
>
> and I had to redo my certificates as per error 13801 on this page:
>
> http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
>
>
> It seems that routing is a different game here.  the way I used to do it
> was set the leftsubnet to be that of the remote network, then use
> iptables to do FORWARD between the networks, and then a NAT rule to
> allow internet access.  I found that using this config, the leftsubnet
> *also* has to be set to 0.0.0.0/0 in order to allow internet traffic.
>
> I am not really clear on the narrowing function, I think I need to learn
> more on that, but that will be for another day.  Thanks again for the
> pointer, Paul...
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list