[Swan] newb confusion

Paul Wouters paul at nohats.ca
Mon Mar 13 20:45:33 UTC 2017


On Mon, 13 Mar 2017, Brendan Kearney wrote:

>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP 
>> 
>> If you are using only one client, you can get away with hardcoding the
>> one IP address you want to hand out as a subnet/32.
> i am working on L2TP with PPP pointing to RADIUS

Ah, then see the above L2TP link.

>> I'm a little confused, as I am seeing IKEv2 and not IKEv1. Are you using
>> the strongswan client on android? In that case, you want to look at:
>> 
>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
>> 
>> Paul
> android 4.4.2 gives options for advanced IPSec VPNs:
>
> pre-shared key (IKEv1)
> pre-shared key (IKEv2)
> certificate (IKEv1)
> certificate (IKEv2)
> EAP and certificate (IKEv2)
> L2TP pre-shared key (IKEv1)
> L2TP certificate (IKEv1)
> SecurID (IKEv1)

Oh, I did not know Android can now do IKEv2 as well natively. I wonder
what code they are using. racoon2 ?

> i selected PSK IKEv2, which does not look like it matches what i am trying to 
> do on the server side.  more digging to do...

You would need to pick either "L2TP pre-shared key (IKEv1)" or "L2TP
certificate (IKEv1)" depending on whether you want to use CERTS or PSK.

If you want to use certs, then look at:

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates

Paul


More information about the Swan mailing list