[Swan] Windows 10 client to libreswan VPN server: CHILD SA: no local proposal matches remote proposals

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Fri Jan 7 14:42:53 EET 2022 

On 6.1.2022. 16:02, Paul Wouters wrote:

> On Wed, 5 Jan 2022, Mirsad Goran Todorovac wrote:
>
>> If I am allowed, I could also assert that I have been positively 
>> surprised by the positive change in speed with IKEv2 VPN: while IKEv1 
>> L2TP over IPSec scored about 50 Mbps download on our server, the 
>> IKEv2 showed 138 Mbps in Ookla speedtest benchmark :) , over the 
>> Faculty's 1 Gbps link and my 150 Mbps home connection.
>
> That's because most likely your l2tp layer went through userland xl2tpd.
> it can be configured to use kernel l2tp.ko but that usually has issues.
> So yes, I'm not surprised :)

Copy that, I've seen from logs that the userland stuff was used. If I 
had only L2TP I would try to enable l2tp.ko, but now that IKEv2 runs at 
shiny new 250/214 Mbps, I don't think that there really is a point.

BTW, I tried this: 
https://support.microsoft.com/en-us/topic/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exchange-f0ad89ce-dcd5-56e2-9cee-4cbb01b4da1e 
to remedy the modp1024 DH problem and it didn't work :(

Only this made the conn : 
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048

Perhaps that should be more visible in the manuals at libreswan.org? 
I've had difficulties finding it when I was in our accounting. I've been 
testing IKEv2 over the holidays and I am rather happy with the way it 
works. Nice job!
Probably I could get away without reading the RFCs about IKEv2 IETF 
standard, but it was sort of worthwhile, now I actually seem to know 
what these options mean, it is so much better to do the homework :)

BTW, my version of Windows 10 still appears to downgrade DH to modp1024 
on key renegotiation, so the ms-dh-downgrade=yes hack was necessary. I 
hope they fix this bug.

I seem to have updated to 20H2 but not to Windows 11:

Mirsad

-- 

Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220107/2810af28/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: U40ItcZqmjsiswAB.png
Type: image/png
Size: 6864 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220107/2810af28/attachment.png>

More information about the Swan mailing list