[Swan] Options for Windows clients

Alex mysqlstudent at gmail.com
Wed Dec 30 14:08:08 UTC 2020 

Hi,

> > Now Windows is saying "IKE failed to find valid machine certificate.
> > .... install a valid certificate" but I've rebuilt the entire thing,
> > deleted the old certs and inserted a new pk12 cert as I've done
> > before. This strongswan post appears to indicate that "Maybe Windows
> > wants to do ECDSA and searches for such a certificate". Could that be
> > the case here?
> > https://wiki.strongswan.org/issues/3021
>
> Possible, I heard if you configure ECDH it won’t allow RSA based certs.

How can I be sure I'm generating the proper cert with certutil in the
first place?

How much of the strongswan docs are applicable to libreswan? Was
libreswan formed from strongswan or openswan?

> > I've used the following two commands on the Windows side to build the
> > connection:
> >
> > Add-VpnConnection -Name "ikev2-cp" -ServerAddress orion.example.com
> > -TunnelType "Ikev2" -PassThru -Force -EncryptionLevel "Required"
> > -AllUserConnection -AuthenticationMethod MachineCertificate
> >
> > Set-VpnConnectionipsecconfiguration -connectionname "ikev2-cp"
> > -authenticationtransformconstants SHA256128 -ciphertransformconstants
> > AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -Pfsgroup
> > ECP384 -DHGroup Group14 -PassThru -Force
>
> Can you set both pfs group and DH group to group14 ?

The only choices are
https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps
None
PFS1
PFS2
PFS2048
ECP256
ECP384
PFSMM
PFS24

> Using ECP384 might cause it to not accept RSA certificates

Is that just for PFSGroup or all settings? The great thing about
standards is that there's so many to choose from :-(

> >   authby=ecdsa
>
> Avoid ecdsa with Windows as they seem to only support the old method that libreswan doesn’t implement. Also if you use this, you cannot have RSA based certificates as those cannot produce ECDSA signatures.

I was experimenting based on your previous comment. Did I misinterpret it?

> - uses authby=ecdsa or authby=rsa or authby=secret (or a combination thereof, or it is not set in which case
> the defaults would include rsa and/or rsa+ecdsa depending on the version of libreswan)

Shouldn't I be able to choose the algorithms and key sizes during the
certutil cert creation process that we know will work with Windows in
the first place?

More information about the Swan mailing list