[Swan] Windows 10 client to libreswan VPN server: CHILD SA: no local proposal matches remote proposals

Wed Jan 5 22:43:21 EET 2022

P.S.

If I am allowed, I could also assert that I have been positively 
surprised by the positive change in speed with IKEv2 VPN: while IKEv1 
L2TP over IPSec scored about 50 Mbps download on our server, the IKEv2 
showed 138 Mbps in Ookla speedtest benchmark :) , over the Faculty's 1 
Gbps link and my 150 Mbps home connection.

This is definitely usable, I can watch Internet TV without glitches, 
save from the fact that IKEv2 connection would "die" and had to be 
restarted. But it is now OK, thanks to the ms-dh-downgrade hack. I would 
be happier if I didn't have to downgrade security for the link, but the 
connection that would break after 15 minutes was useless for the 
accounting programs.

Now I am thoroughly testing before entering production.

Kind regards,
Mirsad

On 1/5/2022 5:47 PM, Mirsad Goran Todorovac wrote:
> On 1/5/2022 5:34 PM, Paul Wouters wrote:
>
>> On Tue, 4 Jan 2022, Mirsad Goran Todorovac wrote:
>>
>>> esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024 
>>>
>>>
>>> line I've found in options doesn't work well with libreswan 4.5 I'm 
>>> using. Perhaps someone should update the cookbooks on the 
>>> libreswan.org site?
>>
>> I've updated the wiki page to no longer suggest the modp1024 old stuff
>> that is no longer supported per default.
>
> Hi, Paul, that's awesome :-)
>
> I have also removed the requirement for manual DNS configuration in 
> the Android client setup. Now it is sufficient to import the client 
> cert and set it as both the "IPSec user certificate" and "IPSec CA 
> certificate". If it doesn't seem obvious, I came across this setup by 
> experimenting.
>
> The culprit was the VPN gateway chosen as one of the DNS servers. The 
> configuration works better if something other than gateway is chosen 
> as server for DNS. (In our case, 10.0.0.101 for local addresses, and 
> 8.8.8.8 as the secondary, so the people could see their DHCP assigned 
> machine IP addresses and FQDN hostnames when they attempt to connect 
> via VPN to their work computers as the road warriors.)
>
> Perhaps I could write a tutorial on Android setup for libreswan if I 
> find the time? It seems pretty straightforward now that it's done ...
>
> I think you could remove the requirement for strongswan for Android 
> client setup in the manual page 
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 , 
> as the native client appears to work a OK. (Just `authby=rsa-sha1` may 
> be added, for I understood neither the native client nor the 
> strongswan worked without it. Haven't tried the latter.)
>
> Mirsad
>
> -- 
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355