[Swan] Windows 10 client to libreswan VPN server: CHILD SA: no local proposal matches remote proposals

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Mon Jan 10 00:03:49 EET 2022

On 1/9/2022 10:56 PM, Paul Wouters wrote:

> On Fri, 7 Jan 2022, Mirsad Goran Todorovac wrote:
>> I did a little something and attached it. I hope it isn't too 
>> terrible for common users to understand :-/
> Thanks! I'll put it up in our wiki!
> Note that for the server side, you could use LetsEncrypt to get a
> certificate. The server and client do not neccessarilly have to use the
> same CA. That way, the Root CA for the certificate is already present
> on the android device. It should not need to Root CA of the client, as
> it should just use the client cert and it does not need to validate it.

I'm glad you think it's OK. If you have any requirements to the 
tutorial, I will be able to add them on Tuesday I think.

I could also use ECDSA certificates, as I today did on our experimental 
web servers. They are supposed to be faster on the mobile devices at 
least, aren't they?

But IMHO this is separate from the Android IKEv2 configuration problem, 
so I referred to what you already provided in your wiki as of cert 
generation with certutil.


Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list