[Swan] Fwd: Question with IKEv2 VPN server for road warrior setup with pubkey

Paul Wouters paul at nohats.ca
Mon Jan 10 03:20:12 EET 2022

On Tue, 4 Jan 2022, Mirsad Goran Todorovac wrote:

> I have a couple of questions:
> 1. I have added:
>     pfs=yes
>     type=tunnel
> to my IKEv1 configuration, as Paul asserted there are issues with the 
> transport mode connection. Is that legal? I can't see much from Googling, as 
> the libreswan doc site example also uses transport mode.

It just won't be compatible with some implementations, although some are
willing to do it. Note that you cannot configure libreswan to do either
transport or tunnel, so you have to get all of your clients using the
same mode. I doubt you can tweak windows as a clientto use tunnel mode.

> 2. Regarding my IKEv2 connection attempt, it seems that NSS is unable to find 
> the CA cert, but it appears to be in the key store:

> root at domac:~# certutil -L -d sql:/var/lib/ipsec/nss
> Certificate Nickname Trust Attributes
> vpn.alu.hr u,u,u
> ALU-UNIZG CA                                                 ,,

This does not seem to be showing the proper trust bits for the CA, eg:

[root at thinkpad interop-ikev2-eaptls-strongswan-client]# certutil -L -d /var/lib/ipsec/nss

Certificate Nickname                                         Trust Attributes

letoams.nohats.ca                                            u,u,u
Certificate Agency (CA) - No Hats Corporation                CT,, 
west-bigsig                                                  u,u,u
Libreswan test CA for mainca - Libreswan                     CT,,

you can try running ipsec --checknss which can fix some of these issues.
Otherwise use certutil to add "CT,," to your CA.


More information about the Swan mailing list