[Swan] Fwd: Question with IKEv2 VPN server for road warrior setup with pubkey
Paul Wouters
paul at nohats.ca
Mon Jan 10 03:20:12 EET 2022
On Tue, 4 Jan 2022, Mirsad Goran Todorovac wrote:
> I have a couple of questions:
>
> 1. I have added:
>
> pfs=yes
> type=tunnel
>
> to my IKEv1 configuration, as Paul asserted there are issues with the
> transport mode connection. Is that legal? I can't see much from Googling, as
> the libreswan doc site example also uses transport mode.
It just won't be compatible with some implementations, although some are
willing to do it. Note that you cannot configure libreswan to do either
transport or tunnel, so you have to get all of your clients using the
same mode. I doubt you can tweak windows as a clientto use tunnel mode.
> 2. Regarding my IKEv2 connection attempt, it seems that NSS is unable to find
> the CA cert, but it appears to be in the key store:
> root at domac:~# certutil -L -d sql:/var/lib/ipsec/nss
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> vpn.alu.hr u,u,u
> ALU-UNIZG CA ,,
This does not seem to be showing the proper trust bits for the CA, eg:
[root at thinkpad interop-ikev2-eaptls-strongswan-client]# certutil -L -d /var/lib/ipsec/nss
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
letoams.nohats.ca u,u,u
Certificate Agency (CA) - No Hats Corporation CT,,
west-bigsig u,u,u
Libreswan test CA for mainca - Libreswan CT,,
you can try running ipsec --checknss which can fix some of these issues.
Otherwise use certutil to add "CT,," to your CA.
Paul
More information about the Swan
mailing list