[Swan] mac and win10 ikev2

Computerisms Corporation bob at computerisms.ca
Tue Dec 19 17:14:33 UTC 2017


Hi,

Thanks to Paul's generous help I was able to get mac and windows working 
together as they should.  For the benefit of others trying the same, I 
am just posting here some hints in case they are helpful.

For the mac, you need a .mobileconfig xml file.  you will need to put 
base64 values for the certs, and change the password and hosts and such. 
  When you get it right and open the file on the mac it will show you 
the CA and the user cert.

For the firewall cert (not sure if it is required, but in the 
troubleshooting process I ended up adding it) I put a DNS: 
SubjectAltName as well as an IP: SubjectAltName.

The default ike and phase2alg settings didn't work for neither of 
windows 7, windows 10, or mac os 10.10, at least for me.  I had to 
adjust them according to the proposals I found in the logs.

My working conn:

conn rw-ikev2
    authby=rsasig
    left=XX.XX.XX.XX
    leftsubnet=0.0.0.0/0
    leftcert=fw.computerisms.ca
    leftid=%fromcert
    leftrsasigkey=%cert
    leftsendcert=always
    right=%any
    rightid=%fromcert
    rightca=%same
    rightrsasigkey=%cert
    rightsendcert=always
    rightmodecfgclient=yes
    rightaddresspool=10.25.0.2-10.25.0.20
    narrowing=yes
    modecfgdns1=192.168.123.254
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    fragmentation=yes
    pfs=yes
 
ike=aes256-sha384-modp1024,aes256-sha256-modp2048,aes256-sha512-modp8192,aes256-sha512-modp2048
    phase2alg=aes256-sha1,aes256-sha512;modp4096

-- 
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
www.computerisms.ca


More information about the Swan mailing list