[Swan] Options for Windows clients

Paul Wouters paul at nohats.ca
Tue Dec 29 03:31:30 UTC 2020

On Mon, 28 Dec 2020, Alex wrote:

> How can I tell what type of cert I'm using?

openssl x509 -noout -text -in /your/cert.pem

> Based on the strongswan page, I've added the following:
>  ike=aes256-sha384-prfsha384-modp2048
>  esp=aes256gcm16-modp2048

strongswan is not fullt compatible with libreswan. the ike= and esp=
line take a different format. The above two strongswan lines translate
to libreswan as:


> Can I ask you to review this pastebin output from an attempt to connect?
> https://pastebin.com/D83HRJnW
> This is with "plutodebug = all crypt". In addition to the
> NO_PROPOSAL_CHOSEN messages, the highlights appear to include:
> find_host_connection local= remote=
> policy=ECDSA+IKEV2_ALLOW but ignoring ports
> find_host_connection local= remote=
> policy=RSASIG+IKEV2_ALLOW but ignoring ports
> find_host_connection local= remote=
> policy=PSK+IKEV2_ALLOW but ignoring ports

This is just our debugging the loop over the existing authentication
methods and IPs.

It seems you do not have a connection loaded that satisfies all of these:
- has ikev2=yes
- uses left= (or left=%defaultroute) [provided you use left
   as your local machine, and right for the remote machine options. if
   you flipped that, you don't have a right= matching these]
- uses right= or right=%any
- uses authby=ecdsa or authby=rsa or authby=secret (or a combination
   thereof, or it is not set in which case the defaults would include rsa
   and/or rsa+ecdsa depending on the version of libreswan)
- an ike= line that matches the remote client proposal list (or the
   client uses something that is not a default ike parameter when no ike=
   line is specified)

You might want to manually add the connection to see if it loads at all:

ipsec auto --add yourconnname


More information about the Swan mailing list