[Swan] win10 (/ win11?) client user certs instead of machine

Marc Marc at f1-outsourcing.eu
Thu Feb 1 15:49:20 EET 2024 

> >
> > Is there a way to setup libreswan[1] in such a way it matches more windows
> defaults.
> >
> > Currently I have to distribute some powershell scripts that set "Use
> machine certificates" (standard.png). However it would be nicer if this eap
> could be enabled and use the user? certificates (eap.png)
> 
> Yes. EAP-TLS is supported. Test cases that show configuration:
> 
> https://github.com/libreswan/libreswan/blob/main/testing/pluto/interop-
> ikev2-eaptls-strongswan-client/east.conf
> 

I am not getting this to work. I have tried modifying several entries and I removed all my test config files and win10 keeps whining about being behind a nat or so. While the normal crt without eap is fine.

conn vpn-ikev2-crt-eap
     ikev2=yes
     auto=add
     # fill in with your VPN server IP
     left=x.x.x.x
     leftauth=eaponly
     leftcert=vpn.example.com
     leftid=@vpn.example.com
     leftautheap=tls
     leftsendcert=always
     leftupdown="ipsec updown.sh"
     # /25 0-127 255.255.255.128
     leftsubnet=x.x.x.x/25
     rightaddresspool=x.x.x.x-x.x.x.x
     right=%any
     rightauth=eaponly
     #rightid=%fromcert
     #rightca="Example CA"
     rightautheap=tls
     rightsendcert=never


"vpn-ikev2-crt-eap"[1] x.x.x.x #1: processing decrypted IKE_AUTH request: SK{IDi,CERTREQ,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Feb  1 11:08:09 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: reloaded private key matching left certificate 'vpn.example.com'
Feb  1 11:08:09 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: added EAP payload to packet
Feb  1 11:08:09 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: NSS: I/O getpeername
Feb  1 11:08:09 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: sent EAP request
Feb  1 11:08:10 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: IKE_AUTH request fragment 1 of 3 has duplicate Message ID 1; retransmitting response
Feb  1 11:08:11 test2 pluto[1]: "vpn-ikev2-crt-eap"[1] xx #1: IKE_AUTH request fragment 1 of 3 has duplicate Message ID 1; retransmitting response

More information about the Swan mailing list