[Swan] default config that works with recent android/win10/win11/macos/ios

[Marc]

> 
> >>> Where can I find a working and tested config, that offers vpn
> connectivity
> >> with the os default clients of android, win10, win11, macos and ios?
> (maybe
> >> put this on some wiki/example page)
> >>
> >> Not sure there is one as the variations in systems are almost infinite.
> >
> > Who cares about infite variations? Just pick the most common.
> 
> That changes every Mac and Windows and Android release :P

I find that hard to believe for the core (yet wide range) elements requiring the vpn. If I need apply patches to windows for modp2048. That means they have been sitting on this modp1024 for quite a while.

 
> This is probably one that should support most:
> 
>  	ike=aes256-sha2_256;modp2048,aes128-sha2_256;modp2048
>  	esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-
> sha2_512,aes256-sha2_256,aes128-sha2_256,aes128-sha1
> 
> If you need old old windows stuff you might need to also allow modp1024
> (which likely requires manually recompiling libreswan because we disable
> it by default because it is too weak)
> 
>  	ike=aes256-sha2_256;modp2048,aes128-sha2_256;modp2048,aes256-
> sha2;modp1024,aes128-sha1;modp1024

As I wrote (I think) earlier it would be nice to have syntax that allows you to modify defaults so you could have something like this in your config. 
    
     # android <12
     ike=+aes128-sha1

     # < win10
     ike=+aes128-sha1;modp1024

This way you can easily remove exceptions you made, and are not relevant any more.

> > If this were my project I would at least offer a turn key solution for
> what I assume is the most common application of a vpn server with different
> clients and check such solutions every period/year if they are still valid.
> You all have the expertise to find much quicker a common denominator for
> such setup, than some rookie user. Even knowing up front whether or not such
> a heterogeneous environment is possible, would save already a lot of time.
> 
> Since usually this means running things that are 10+ years old, that is
> really hard to sustain for a small group of developers. We do provide
> the basic common deployment configurations at:

That is not true, besides you could choose to test ~3 years. Mostly distrubtions uphold backwards compatibility. But it does require to decide on whether or not include something in a default setup.

> https://libreswan.org/wiki/Configuration_examples
> 
> And we have 1218 test cases with configuration examples in git:
> https://github.com/libreswan/libreswan/tree/main/testing/pluto
> 
> Usually the test names there tell you kind of what the test is about.

I don't still know if it is even possible to just add 10 seperate configuration files. I assume not, because if a client fails somewhere in one config, how would the server switch to a different config for that client. I can't imagine how the server would be able to track and do this. 

> > Is it really so weird to expect to find here a (roadwarrior) solution that
> fits most common clients? Maintaining on these clients as much as possible
> default setup.
> 
> See above. You seem to think your case is broad and simple, but there
> are another 100 people with different networks, clients, OSes, servers,
> firewalls, and oddnesses. It would be a full FTE to work on fancy
> updated examples for the most common use cases.

From my short experience. It looks like it would be a good start with ikev2 EAP(-TLS). 
on a 'fresh' windows 10 vm you can just double click the p12 certificate. It will go automatically in the correct user credentials and the user only needs to fill out a few fields in the wizard.

On a old catalina vm the connection failed. I read somewhere that newer versions would be ok. So I decided to create a vm with macos ventura (turned out to be a huge waste of time). But the ventura indeed connects.

On fedora the libreswan/strongswan clients both fail (only using gnome gui). I can only get the strongswan client I to run if I disable selinux and put key/crt in public accessible location (I guess nobody is testing this there?)
    
> Note also that basically no one comes back to us to tell us that they
> got things working, let alone share configurations and screenshots of
> their working solutions. We are happy to receive these or give you wiki
> access once you have it working. But more likely, once you have it
> working, you won't send another email here.

I (and probably most) do only such things in cases where I know, what I contribute is good and I know it will take others time to get it like this (because information is lacking). I have the impression, changes I currently make are more based on luck. Especially with encryption this is not really ideal.

> Anyway, documentations, wiki edits or financial contributions to support
> libreswan are always appreciated.

If you want, you can get working vm's with default macos monterey/ventura. I wasted quite a bit of time getting them to run with differen bootloaders (configs), kvm/intel libvirt configs, slow storage. The most annoying was that apple actually does not want you to use it macos os without an internet connection. 'Nothing' is working if you don't have a gateway. I have air gapped test environment. I managed to get it to work by forcing resolve zones to internal dns server and create a 'fake' route.

> I have attached the ipsec.conf of vpn.nohats.ca that works with some
> Windows, Mac, iphones and android.
> 

Thanks! I will give it a try.