Re: [Swan-dev] simple setup
On Fri, 5 Oct 2018, Kim B. Heino wrote: All those "~" must be changed to "$HOME". I don't have the power to do that. Somebody please fix? Someone did. I agree the certificate generation stuff is not user friendly, which is why we did the webgui thing. I'm still waiting on the packages so I can test it out on centos/rhel/fedora :) Paul ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] simple setup
> To be at feature-parity with WireGuard, we don't need to interoperate. > Simple(!!!) libreswan to libreswan is what is required. I agree totally here. I tried to copy-paste commands from that "VPN server for remote clients using IKEv2" page, it doesn't work: - # certutil -N -d sql:~/tmpdb/ certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. # mkdir tmpdb # certutil -N -d sql:~/tmpdb/ certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. # certutil -N -d sql:$HOME/tmpdb/ Enter a password which will be used to encrypt your keys. - All those "~" must be changed to "$HOME". I don't have the power to do that. Somebody please fix? ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] simple setup
On Fri, 5 Oct 2018, D. Hugh Redelmeier wrote: To be at feature-parity with WireGuard, we don't need to interoperate. Simple(!!!) libreswan to libreswan is what is required. The Wireguard is feature is not having features. They will grow their warts later on in life. Did I say "simple" often enough? We could surely create an interactive cmdline tool that generates an /etc/ipsec.d/example.conf file for them. We did create a webgui tool for a Remote Access VPN which we are polishing up now for release. I agree with Kim that our website is more sysadmin focused then enduser focused and we can improve there. That's a topic for next week's devel meeting :) Paul ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] simple setup
| From: Paul Wouters | Sure. We need support for .mobileconfig support so people can just | import that on Linux as well as Apple devices. I don't know how to | create a "profile" for Windows. I would be nice if we could do that | too. Fine. But that isn't what I asked for. To be at feature-parity with WireGuard, we don't need to interoperate. Simple(!!!) libreswan to libreswan is what is required. Any bonus features should be separate and later so that they don't interfere with the simplicity. Did I say "simple" often enough? It's got to be simple. Its got to look simple to someone who knows nothing about this stuff. It's almost an advertisement, but one that actually is useful and informative. It's got to be as simple as WireGuard. Simpler that WireGuard would be a big bonus. Sadly, I think that there need to be "field notes" to trouble-shoot first-time bring-up. That's way more important that talking about added features. Lots of people have trouble getting this stuff working in the most basic way and end up giving up, scarred for life. If our diagnostics make debugging such a simple setup hard, we ought to look closely at making this easier. Perhaps we need a bring-up mode that is more helpful. Perhaps we need a tool that automates some of the debugging. ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] simple setup
On Fri, 5 Oct 2018, Kim B. Heino wrote: https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 Problems with that page, when comparing to wireguard/openvpn setup guides: - too long - looks way too complex - looks scary ("change registry key or it's insecure!!!") - hard to find: first time users don't know what IKEv1 vs v2 vs split vs XAUTH means Sure. We need support for .mobileconfig support so people can just import that on Linux as well as Apple devices. I don't know how to create a "profile" for Windows. I would be nice if we could do that too. Paul ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] simple setup
> > I keep seeing people, in various venues, saying that wireshark is > > wonderful. Same is also true for openvpn vs libreswan. > > Paul (or anyone else): can you create simple instructions for > > setting up a VPN that has feature-parity with Wireshark? > > https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 Problems with that page, when comparing to wireguard/openvpn setup guides: - too long - looks way too complex - looks scary ("change registry key or it's insecure!!!") - hard to find: first time users don't know what IKEv1 vs v2 vs split vs XAUTH means ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev