[Swan] win10 (/ win11?) client user certs instead of machine
Marc
Marc at f1-outsourcing.eu
Thu Feb 1 15:49:20 EET 2024
> >
> > Is there a way to setup libreswan[1] in such a way it matches more windows
> defaults.
> >
> > Currently I have to distribute some powershell scripts that set "Use
> machine certificates" (standard.png). However it would be nicer if this eap
> could be enabled and use the user? certificates (eap.png)
>
> Yes. EAP-TLS is supported. Test cases that show configuration:
>
> https://github.com/libreswan/libreswan/blob/main/testing/pluto/interop-
> ikev2-eaptls-strongswan-client/east.conf
>
I am not getting this to work. I have tried modifying several entries and I removed all my test config files and win10 keeps whining about being behind a nat or so. While the normal crt without eap is fine.
conn vpn-ikev2-crt-eap
ikev2=yes
auto=add
# fill in with your VPN server IP
left=x.x.x.x
leftauth=eaponly
leftcert=vpn.example.com
leftid=@vpn.example.com
leftautheap=tls
leftsendcert=always
leftupdown="ipsec updown.sh"
# /25 0-127 255.255.255.128
leftsubnet=x.x.x.x/25
rightaddresspool=x.x.x.x-x.x.x.x
right=%any
rightauth=eaponly
#rightid=%fromcert
#rightca="Example CA"
rightautheap=tls
rightsendcert=never
"vpn-ikev2-crt-eap"[1] x.x.x.x #1: processing decrypted IKE_AUTH request: SK{IDi,CERTREQ,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Feb 1 11:08:09 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: reloaded private key matching left certificate 'vpn.example.com'
Feb 1 11:08:09 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: added EAP payload to packet
Feb 1 11:08:09 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: NSS: I/O getpeername
Feb 1 11:08:09 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: sent EAP request
Feb 1 11:08:10 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: IKE_AUTH request fragment 1 of 3 has duplicate Message ID 1; retransmitting response
Feb 1 11:08:11 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: IKE_AUTH request fragment 1 of 3 has duplicate Message ID 1; retransmitting response
More information about the Swan
mailing list