[Swan] Options for Windows clients

Alex mysqlstudent at gmail.com
Thu Dec 24 15:34:13 UTC 2020


> The win10 laptop I am using is connected to our internal network on
> The libreswan server has a public IP (which I've
> specified as the endpoint for the win10 client), but also is the
> Internet gateway for the win10 client as Is it possible
> to connect to the libreswan server while being on the same internal
> network?
> Shouldn't you use an FQDN rather than IP with the FQDN matching your certificate SAN. Then, on your LAN fix the DNS server to map the FQDN to

I'm not sure I understand. You're saying I should be using real
hostnames and DNS instead of just an IP address? Where specifically
should I be doing this?

In my windows.conf:

conn ikev2-cp

Is vpn.mycompany.com supposed to resolve to something or is it just a
label? If so, should it be the address?

I believe the real problem is here:
Dec 24 10:26:32.076033: packet from
ISAKMP_v2_IKE_SA_INIT message received on but no
suitable connection found with IKEv2 policy
Dec 24 10:26:32.076091: packet from responding to
IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification

I've followed the directions described here to create a registry
entry. I've also now added the esp= and ike= lines referenced in this
doc, although it's unclear if that's what I was supposed to do, and it
still doesn't work.

> FWIW an internal LAN of or is lousy for a roadwarrior as there is a high chance it will be the same as the local LAN he is connecting from, once he is on the road.

Yes, very true. This network was created more than
twenty years ago. We're also using for the mobile
workers, so hopefully that minimizes the potential for conflict.

More information about the Swan mailing list