[Swan] example .conf for road warriors

Paul Wouters paul at nohats.ca
Fri May 15 15:15:31 UTC 2020

On Fri, 15 May 2020, Jeremy Hayward wrote:

> I want to set up a connection on my libreswan that will allow anyone to connect with just the username and password.  I
> understand the security implications of this, but I want to be able to access a system from anywhere in the world, from any
> device.  The main client will be Android phone, but again, I don't want to have to install specific software on that phone -
> just use the built in android vpn facility.
> I used to do this with PPTP for many years and it worked well, but I think that would now be too dangerous but the Android
> phones now support relatively IPSec which I think will be good enough.

That is still unwise. The problem is with user/password is that you have
to use authby=secret, giving out this preshared key to everyone, meaning
that everyone who has the client information (legitimately or
maliciously obtained) would be able to forge messages from the gateway
or other clients. It is also only supported in the old IKEv1 method,
not the new IKEv2 method.

> I've built a conf, but as a bit of a noob, I'm not sure if I've made a rookie error, or it just won't work in the way I'm
> intending.
> Here is my .conf
> conn Warrior
> dpdaction=clear
> dpddelay=30
> dpdtimeout=120
> fragmentation=yes
> ike=3des-md5;modp1024

Doing 3des-md5 wasn't even good in 1999. It is surely not good now.
Worse, modp1024 is DH2 which we don't even compile in support for
anymore because university style computing budgets can break it, so
surely nation states can too.

> ikev2=insist

android only just got ikev2 support (or will get in in the next
version?) and so basically no android client in the wild supports
native ikev2. Also see the above. For ikev2 you would want to at
least use one certificate on the server (even if clients would
use authby=secret to identity themselves. But these kind of
ikev2' configurations can only be done using EAP, which libreswan
currently does not support.

You really seem to want this type of config:


I still recommend you change your requirements for a more secure deployment.


More information about the Swan mailing list