[Swan] Options for Windows clients
Manfred
mx2927 at gmail.com
Fri Jan 1 18:17:45 UTC 2021
Hi Paul,
As far as I can see the following are the things that should be updated:
1) Drop the instruction about changing the Windows registry, and add an
instruction to use and administrative PowerShell and
Set-VpnConnectionIPsecConfiguration to solve the issue of the Windows
default weak ciphers.
I see in Alex's log that Windows is still sending multiple proposals for
phase 1 and a proposal for phase 2 (with INTEG=HMAC_SHA1_96) that
doesn't match the Set-VpnConnectionIPsecConfiguration arguments, while I
see that after this command a clean Windows box sends a single proposal
for each of phase 1 and 2, which /do/ match the PS command args. It
looks like this is due to interference with the registry tweak
(according to the strongswan mail thread posted earlier).
The PS command is officially documented and is more complete, while in
turn the registry tweak seems to affect phase 1 only, so I think the
former should be preferred over the latter - your call of course.
2) In the page with instructions about certutil for Windows clients:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
The instruction to generate the server certificate uses options -1 and
-6 with no arguments, resulting in an interactive input loop for
keyUsage and extKeyUsage. I would suggest explicit arguments instead:
--keyUsage "digitalSignature,keyEncipherment"
--extKeyUsage "serverAuth,ipsecIKEIntermediate"
The instruction to generate the client certificate might be misleading,
instructing the user to set the same extKeyUsage as the server's, which
is wrong. In place of -1 and -6 I'd suggest:
--keyUsage "digitalSignature,keyEncipherment"
--extKeyUsage "clientAuth"
3) This is not really about instructions, however it might be worth
consideration:
In the latest version of this thread the windows certificate still
contains a SAN entry "ip:68.195.111.42" i.e. the IP address of the
server, which is wrong.
The libreswan log detects this mismatch, complains about "connection
failed due to unmatched IKE ID in certificate SAN", but still
establishes a connection. Maybe this is something worth a look into.
On 12/31/2020 8:37 PM, Paul Wouters wrote:
> On Dec 31, 2020, at 14:14, Alex <mysqlstudent at gmail.com> wrote:
>>
>>
>> Can we add some of this to the wiki so someone else doesn't have to go
>> through all of this? There's no way the wiki entry would work as it is
>> currently.
>>
>> I also want to experiment a bit more with the add/set-vpnconnection
>> commands - it seems unreasonable for end-users to have to enter those
>> commands.
>
> I’ll update / integrate the documentation over the next few days.
>
> Thanks for reporting back to us !
>
> Paul
>
More information about the Swan
mailing list