[Swan] LibreSwan - Transport Mode with Certification from Windows Clients
Matt Dennison
Matt.Dennison at tribalgroup.com
Mon Mar 19 17:19:30 UTC 2018
Hi
I'm after a little help, not certain I'm fully on the right track.
I have successfully secured traffic between LibreSwan and multiple dynamic Windows hosts using preshared key and transport mode, as below as an example.
conn secure_hosts
type=transport
authby=secret
left=192.168.10.130
right=%any
pfs=yes
ike=3des-sha1;modp1024
phase2=esp
auto=ondemand
conn block-plain1
left=192.168.10.130
right=%any
rightsubnet=192.168.10.132/30
type=drop
authby=never
auto=ondemand
# low priority so secure_host wins when up
priority=6000
Now that I have this working I would like to change it over to using certificates if possible. I've created and imported a certificate with chain into libreSwan and imported the certificate authority into my windows VM I'm using for testing. So far I've tried;
Modifying the above and adding various combinations of the below from what sources of help I've been able to find online.
authby=rsasig
leftrsasigkey=%cert
leftcert=example.mydomain.net
leftsendcert=always
leftid=@example.mydomain.net
right=%any
rightca=%same
rightrsasigkey=%cert
On the windows client I've replaced preshared key authentication method and selected 'Use a certificate from this certification authority (CA)'.
Any advice is welcome.
Thanks
Matt
Information contained in this e-mail is intended for the use of the addressee only, is confidential and may be the subject of Legal Professional Privilege. Any dissemination, distribution, copying or use of this communication without our prior permission or that of the addressee is strictly prohibited.
The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. While Tribal has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checks before opening the attachment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180319/70ff835d/attachment.html>
More information about the Swan
mailing list