[Swan] Options for Windows clients
Paul Wouters
paul at nohats.ca
Tue Dec 29 03:31:30 UTC 2020
On Mon, 28 Dec 2020, Alex wrote:
> How can I tell what type of cert I'm using?
openssl x509 -noout -text -in /your/cert.pem
> Based on the strongswan page, I've added the following:
>
> ike=aes256-sha384-prfsha384-modp2048
> esp=aes256gcm16-modp2048
strongswan is not fullt compatible with libreswan. the ike= and esp=
line take a different format. The above two strongswan lines translate
to libreswan as:
ike=aes256-sha2_384;modp2048
esp=aes_gcm256;modp2048
> Can I ask you to review this pastebin output from an attempt to connect?
> https://pastebin.com/D83HRJnW
>
> This is with "plutodebug = all crypt". In addition to the
> NO_PROPOSAL_CHOSEN messages, the highlights appear to include:
>
> find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500
> policy=ECDSA+IKEV2_ALLOW but ignoring ports
> find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500
> policy=RSASIG+IKEV2_ALLOW but ignoring ports
> find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500
> policy=PSK+IKEV2_ALLOW but ignoring ports
This is just our debugging the loop over the existing authentication
methods and IPs.
It seems you do not have a connection loaded that satisfies all of these:
- has ikev2=yes
- uses left=68.195.111.42 (or left=%defaultroute) [provided you use left
as your local machine, and right for the remote machine options. if
you flipped that, you don't have a right= matching these]
- uses right=192.168.1.35 or right=%any
- uses authby=ecdsa or authby=rsa or authby=secret (or a combination
thereof, or it is not set in which case the defaults would include rsa
and/or rsa+ecdsa depending on the version of libreswan)
- an ike= line that matches the remote client proposal list (or the
client uses something that is not a default ike parameter when no ike=
line is specified)
You might want to manually add the connection to see if it loads at all:
ipsec auto --add yourconnname
Paul
More information about the Swan
mailing list