[Swan] Options for Windows clients
mysqlstudent at gmail.com
Thu Dec 24 15:34:13 UTC 2020
> The win10 laptop I am using is connected to our internal network on
> 192.168.1.35. The libreswan server has a public IP (which I've
> specified as the endpoint for the win10 client), but also is the
> Internet gateway for the win10 client as 192.168.1.1. Is it possible
> to connect to the libreswan server while being on the same internal
> Shouldn't you use an FQDN rather than IP with the FQDN matching your certificate SAN. Then, on your LAN fix the DNS server to map the FQDN to 192.168.1.1.
I'm not sure I understand. You're saying I should be using real
hostnames and DNS instead of just an IP address? Where specifically
should I be doing this?
In my windows.conf:
Is vpn.mycompany.com supposed to resolve to something or is it just a
label? If so, should it be the 184.108.40.206 address?
I believe the real problem is here:
Dec 24 10:26:32.076033: packet from 192.168.1.35:500:
ISAKMP_v2_IKE_SA_INIT message received on 220.127.116.11:500 but no
suitable connection found with IKEv2 policy
Dec 24 10:26:32.076091: packet from 192.168.1.35:500: responding to
IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification
I've followed the directions described here to create a registry
entry. I've also now added the esp= and ike= lines referenced in this
doc, although it's unclear if that's what I was supposed to do, and it
still doesn't work.
> FWIW an internal LAN of 192.168.1.0/24 or 192.168.0.0/24 is lousy for a roadwarrior as there is a high chance it will be the same as the local LAN he is connecting from, once he is on the road.
Yes, very true. This 192.168.1.0/24 network was created more than
twenty years ago. We're also using 192.168.6.0/24 for the mobile
workers, so hopefully that minimizes the potential for conflict.
More information about the Swan