[Swan] Options for Windows clients
Alex
mysqlstudent at gmail.com
Tue Dec 29 02:33:52 UTC 2020
Hi,
> >>> I've also added the "NegotiateDH2048_AES256" DWORD as per this doc:
> >>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
> >>
> >> Instead of tweaking the registry, you might rather use the Windows
> >> Powershell, and specifically Set-VpnConnectionIPsecConfiguration:
> >> https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps
> >>
> >> Fair warning: do not use ECP curves for DH group and PfsGroup, because
> >> you won't be able to connect from Win10 to libreswan with those.
> >> Also, do not use elliptic curves (ECDSA) certificates, because you won't
> >> be able to connect from Win10 to libreswan either.
> >> As a side note, Windows will reject its own certificate if it uses ECDSA
I followed the instructions to create a cert from this libreswan page:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
How can I tell what type of cert I'm using?
> >> and the DH group does /not/ use EC ciphers, raising the (possibly
> >> confusing) error 13806.
> >
> > I've read over your comments multiple times and I'm really not sure I
> > understand.
> That is probably because my comment assumes some familiarity with IKE
> encryption and authentication methods.
>
> This is the command I've now tried to use, unsuccessfully:
> >
> > Set-VpnConnectionIPsecConfiguration -ConnectionName "ikev2-cp"
> > -AuthenticationTransformConstants SHA256128 -CipherTransformConstants
> > AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup
> > ECP384 -DHGroup ECP384 -PassThru -Force
>
> This command uses ECP curves for DH group and PfsGroup, which is what I
> said libreswan is *not* able to accept in this scenario.
>
> One hint might be:
> Set-VpnConnectionIPsecConfiguration -ConnectionName "ikev2-cp"
> -AuthenticationTransformConstants SHA256128 -CipherTransformConstants
> AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup
> PFS2048 -DHGroup Group14 -PassThru -Force
>
> DH Group14 means MODP2048:
> https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-8
I've done this, and it appears to make no difference.
There doesn't appear to be any further references to modp1024, but I
have no idea what to do next.
> I also changed -IntegrityCheckMethod SHA384 to SHA256 because SHA384 is
> not part of the libreswan default set shown below. You may use ike=...
> and esp=... to configure that. See the ipsec.conf manpage for details
> about how to configure those. You may want to start with the default set
> though.
Based on the strongswan page, I've added the following:
ike=aes256-sha384-prfsha384-modp2048
esp=aes256gcm16-modp2048
> Here's some instruction on how to configure the windows connection to
> use machine certificates.
> https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
>
> Is it possible you have some "auto" property setting somewhere?
I have followed those instructions explicitly and multiple times.
Can I ask you to review this pastebin output from an attempt to connect?
https://pastebin.com/D83HRJnW
This is with "plutodebug = all crypt". In addition to the
NO_PROPOSAL_CHOSEN messages, the highlights appear to include:
find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500
policy=ECDSA+IKEV2_ALLOW but ignoring ports
find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500
policy=RSASIG+IKEV2_ALLOW but ignoring ports
find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500
policy=PSK+IKEV2_ALLOW but ignoring ports
Thanks so much,
Alex
More information about the Swan
mailing list