[Swan] Options for Windows clients

Manfred mx2927 at gmail.com
Fri Jan 1 18:17:45 UTC 2021

Hi Paul,

As far as I can see the following are the things that should be updated:

1) Drop the instruction about changing the Windows registry, and add an 
instruction to use and administrative PowerShell and 
Set-VpnConnectionIPsecConfiguration to solve the issue of the Windows 
default weak ciphers.
I see in Alex's log that Windows is still sending multiple proposals for 
phase 1 and a proposal for phase 2 (with INTEG=HMAC_SHA1_96) that 
doesn't match the Set-VpnConnectionIPsecConfiguration arguments, while I 
see that after this command a clean Windows box sends a single proposal 
for each of phase 1 and 2, which /do/ match the PS command args. It 
looks like this is due to interference with the registry tweak 
(according to the strongswan mail thread posted earlier).
The PS command is officially documented and is more complete, while in 
turn the registry tweak seems to affect phase 1 only, so I think the 
former should be preferred over the latter - your call of course.

2) In the page with instructions about certutil for Windows clients:

The instruction to generate the server certificate uses options -1 and 
-6 with no arguments, resulting in an interactive input loop for 
keyUsage and extKeyUsage. I would suggest explicit arguments instead:
--keyUsage "digitalSignature,keyEncipherment"
--extKeyUsage "serverAuth,ipsecIKEIntermediate"

The instruction to generate the client certificate might be misleading, 
instructing the user to set the same extKeyUsage as the server's, which 
is wrong. In place of -1 and -6 I'd suggest:
--keyUsage "digitalSignature,keyEncipherment"
--extKeyUsage "clientAuth"

3) This is not really about instructions, however it might be worth 
In the latest version of this thread the windows certificate still 
contains a SAN entry "ip:" i.e. the IP address of the 
server, which is wrong.
The libreswan log detects this mismatch, complains about "connection 
failed due to unmatched IKE ID in certificate SAN", but still 
establishes a connection. Maybe this is something worth a look into.

On 12/31/2020 8:37 PM, Paul Wouters wrote:
> On Dec 31, 2020, at 14:14, Alex <mysqlstudent at gmail.com> wrote:
>> Can we add some of this to the wiki so someone else doesn't have to go
>> through all of this? There's no way the wiki entry would work as it is
>> currently.
>> I also want to experiment a bit more with the add/set-vpnconnection
>> commands - it seems unreasonable for end-users to have to enter those
>> commands.
> I’ll update / integrate the documentation over the next few days.
> Thanks for reporting back to us !
> Paul

More information about the Swan mailing list