[Swan] No proposal chosen in version 3.21
Paul Wouters
paul at nohats.ca
Fri Sep 15 21:50:49 UTC 2017
On Fri, 15 Sep 2017, Dynastic Space wrote:
> Thanks for your assistance. We are very novice in this, and any help is
> great.Note that we are running a vpn server for iphone users, so we do not
> really have much control over what protocol they use.
That depends, iphones actually take .mobileprofile files that you can
narrowly specify how they should be have. I use it myself to get an
IKEv2 based VPN service for iphones.
> conn xauth-psk
> authby=secret
> pfs=no
> auto=add
> rekey=no
> left=%defaultroute
> leftsubnet=0.0.0.0/0
> rightaddresspool=10.231.247.10-10.231.247.254
> right=%any
> # make cisco clients happy
> cisco-unity=yes
> # address of your internal DNS server
> modecfgdns1=172.31.14.50
> leftxauthserver=yes
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> xauthby=file
> # xauthby=alwaysok MUST NOT be used with PSK
> # Can be played with below
> #dpddelay=30
> #dpdtimeout=120
> #dpdaction=clear
> # xauthfail=soft
> ike-frag=yes
> ikev2=never
> ike=aes128-sha2_256;modp2048
> esp=aes128-sha2_256;modp2048
Sorry, the keylen value shows as 0x0100 which is 256, not 128, so try:
ike=aes256-sha2_256;modp2048
esp=aes256-sha2_256;modp2048
> (p: #1 protoid=isakmp transform=15
> (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
> value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
> value=fde9)(type=hash value=sha2-256)(type=group desc value=modp2048))
Paul
More information about the Swan
mailing list