[Swan] default config that works with recent android/win10/win11/macos/ios

Paul Wouters paul at nohats.ca
Sat Mar 2 02:57:58 EET 2024 

On Thu, 29 Feb 2024, Marc via Swan wrote:

>>> Where can I find a working and tested config, that offers vpn connectivity
>> with the os default clients of android, win10, win11, macos and ios? (maybe
>> put this on some wiki/example page)
>>
>> Not sure there is one as the variations in systems are almost infinite.
>
> Who cares about infite variations? Just pick the most common.

That changes every Mac and Windows and Android release :P

This is probably one that should support most:

 	ike=aes256-sha2_256;modp2048,aes128-sha2_256;modp2048
 	esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2_256,aes128-sha2_256,aes128-sha1

If you need old old windows stuff you might need to also allow modp1024
(which likely requires manually recompiling libreswan because we disable
it by default because it is too weak)

 	ike=aes256-sha2_256;modp2048,aes128-sha2_256;modp2048,aes256-sha2;modp1024,aes128-sha1;modp1024

> If this were my project I would at least offer a turn key solution for what I assume is the most common application of a vpn server with different clients and check such solutions every period/year if they are still valid. You all have the expertise to find much quicker a common denominator for such setup, than some rookie user. Even knowing up front whether or not such a heterogeneous environment is possible, would save already a lot of time.

Since usually this means running things that are 10+ years old, that is
really hard to sustain for a small group of developers. We do provide
the basic common deployment configurations at:

https://libreswan.org/wiki/Configuration_examples

And we have 1218 test cases with configuration examples in git:
https://github.com/libreswan/libreswan/tree/main/testing/pluto

Usually the test names there tell you kind of what the test is about.

> Is it really so weird to expect to find here a (roadwarrior) solution that fits most common clients? Maintaining on these clients as much as possible default setup.

See above. You seem to think your case is broad and simple, but there
are another 100 people with different networks, clients, OSes, servers,
firewalls, and oddnesses. It would be a full FTE to work on fancy
updated examples for the most common use cases.

Note also that basically no one comes back to us to tell us that they
got things working, let alone share configurations and screenshots of
their working solutions. We are happy to receive these or give you wiki
access once you have it working. But more likely, once you have it
working, you won't send another email here.

Anyway, documentations, wiki edits or financial contributions to support
libreswan are always appreciated.

I have attached the ipsec.conf of vpn.nohats.ca that works with some
Windows, Mac, iphones and android.

Paul
ps. note that aiming your frustrations at opensource developers is
never a good idea. Neither is telling us what you expect us to do
without paying us for our time and effort while getting the software
and some mailing list support for free.
-------------- next part --------------
conn vpn4
	left=193.110.157.148
	also=vpn-base
conn vpn6
	left=2a03:6000:1004:1::148
	also=vpn-base

conn vpn-base
	authby=rsa-sha2,rsa-sha1
	ikev2=insist
	# support Apple and Windows
	#ike=aes256-sha2_256;modp2048,aes128-sha2_256;modp2048,aes256-sha2;modp1024,aes128-sha1;modp1024
	#esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2_256,aes128-sha2_256,aes128-sha1
	# regular up to date clients
	ike=aes256-sha2_256;modp2048,aes128-sha2_256;modp2048
	auto=add
	rekey=no
	leftcert=vpn.nohats.ca
	leftsendcert=always
	leftid=@vpn.nohats.ca
	# v4+v6 requires libreswan 5.x
	# leftsubnet=0.0.0.0/0,::/0
	# rightaddresspool=100.64.13.0/24,2a03:6000:1005::/97
	#
	leftsubnet=0.0.0.0/0
	rightaddresspool=100.64.13.0/24
	right=%any
	rightid=%fromcert
	rightca=%same
	# address of your internal DNS server
	modecfgdns="193.110.157.123"
	modecfgdomains="nohats.ca,libreswan.org"
	modecfgpull=yes
	mobike=yes
	salifetime=16h
	ikelifetime=24h
	narrowing=yes
	require-id-on-certificate=no

More information about the Swan mailing list