[Swan] Windows 10 client to libreswan VPN server: CHILD SA: no local proposal matches remote proposals

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Wed Jan 5 18:47:30 EET 2022 

On 1/5/2022 5:34 PM, Paul Wouters wrote:

> On Tue, 4 Jan 2022, Mirsad Goran Todorovac wrote:
>
>> esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024 
>>
>>
>> line I've found in options doesn't work well with libreswan 4.5 I'm 
>> using. Perhaps someone should update the cookbooks on the 
>> libreswan.org site?
>
> I've updated the wiki page to no longer suggest the modp1024 old stuff
> that is no longer supported per default.

Hi, Paul, that's awesome :-)

I have also removed the requirement for manual DNS configuration in the 
Android client setup. Now it is sufficient to import the client cert and 
set it as both the "IPSec user certificate" and "IPSec CA certificate". 
If it doesn't seem obvious, I came across this setup by experimenting.

The culprit was the VPN gateway chosen as one of the DNS servers. The 
configuration works better if something other than gateway is chosen as 
server for DNS. (In our case, 10.0.0.101 for local addresses, and 
8.8.8.8 as the secondary, so the people could see their DHCP assigned 
machine IP addresses and FQDN hostnames when they attempt to connect via 
VPN to their work computers as the road warriors.)

Perhaps I could write a tutorial on Android setup for libreswan if I 
find the time? It seems pretty straightforward now that it's done ...

I think you could remove the requirement for strongswan for Android 
client setup in the manual page 
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 , 
as the native client appears to work a OK. (Just `authby=rsa-sha1` may 
be added, for I understood neither the native client nor the strongswan 
worked without it. Haven't tried the latter.)

Mirsad

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list