[Swan] default config that works with recent android/win10/win11/macos/ios
Andrew Cagney
andrew.cagney at gmail.com
Thu Feb 29 00:57:44 EET 2024
On Wed, 28 Feb 2024 at 17:35, Marc via Swan <swan at lists.libreswan.org> wrote:
>
> >
> > Where can I find a working and tested config, that offers vpn connectivity
> > with the os default clients of android, win10, win11, macos and ios? (maybe
> > put this on some wiki/example page)
> >
> >
>
> How should I even know what goes wrong from this log of mac client? It is quite annoying that I have to spend some much time on just realising vpn access for some clients. No wonder everyone is using this openvpn.
>
> Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
> Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
> Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1: processing decrypted IKE_AUTH request: SK{IDi,N(INITIAL_CONTACT),IDr,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)}
> Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1: reloaded private key matching left certificate 'vpn.example.com'
> Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1: added EAP payload to packet
> Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1: NSS: I/O getpeername
> Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1: sent EAP request
(technically a response containing the EAP request)
EAP isn't exactly a standard config. Is the mac device configured to
handle that?
More information about the Swan
mailing list