[Swan] Options for Windows clients

Alex mysqlstudent at gmail.com
Thu Dec 24 03:41:45 UTC 2020 

Hi,

> > Is there documentation available on how to configure
> > it with libreswan?
>
> Yes, see our libreswan examples on the website.

I followed the examples outlined on this page, including importing the
pkcs12 file with ipsec and building an ipsec.conf for the VPN server.
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

I was able to import the cert successfully on win10. When I try to
connect, I receive a "Policy match error". How do I troubleshoot this?
I have made the registry changes for "Windows Certificate
requirements" and "L2TP / IPsec with the server behind NAT" as per
this doc:
https://libreswan.org/wiki/Interoperability#Windows_Certificate_requirements

I've also added the "NegotiateDH2048_AES256" DWORD as per this doc:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

I'm also seeing the following in pluto.log:
Dec 23 22:31:29.242048: "ikev2-cp"[4] 192.168.1.35 #7: no local
proposal matches remote proposals
1:IKE:ENCR=3DES;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024
2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024
3:IKE:ENCR=3DES;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024
4:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024
5:IKE:ENCR=3DES;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024
6:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024

Dec 23 22:31:29.242065: "ikev2-cp"[4] 192.168.1.35 #7: responding to
IKE_SA_INIT message (ID 0) from 192.168.1.35:500 with unencrypted
notification NO_PROPOSAL_CHOSEN

The win10 laptop I am using is connected to our internal network on
192.168.1.35. The libreswan server has a public IP (which I've
specified as the endpoint for the win10 client), but also is the
Internet gateway for the win10 client as 192.168.1.1. Is it possible
to connect to the libreswan server while being on the same internal
network?

The network looks like this:

68.195.111.42 <--> 192.168.1.1 <--> internal network with win10 client
192.168.1.35

If not, is there another way to test this without having to go outside
the local network?

Here is my windows.conf config file:

conn ikev2-cp
    left=68.195.111.42
    leftcert=vpn.mycompany.com
    leftid=@vpn.mycompany.com
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    leftrsasigkey=%cert
    right=%any
    rightaddresspool=192.168.6.2-192.168.6.254
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns=8.8.8.8,8.8.4.4
    narrowing=yes
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    fragmentation=yes

More information about the Swan mailing list