On Fri, 15 Sep 2017, Dynastic Space wrote:
Thanks for your assistance. We are very novice in this, and any help is great.Note that we are running a vpn server for iphone users, so we do not really have much control over what protocol they use.
That depends, iphones actually take .mobileprofile files that you can narrowly specify how they should be have. I use it myself to get an IKEv2 based VPN service for iphones.
conn xauth-psk authby=secret pfs=no auto=add rekey=no left=%defaultroute leftsubnet=0.0.0.0/0 rightaddresspool=10.231.247.10-10.231.247.254 right=%any # make cisco clients happy cisco-unity=yes # address of your internal DNS server modecfgdns1=172.31.14.50 leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes rightmodecfgclient=yes modecfgpull=yes xauthby=file # xauthby=alwaysok MUST NOT be used with PSK # Can be played with below #dpddelay=30 #dpdtimeout=120 #dpdaction=clear # xauthfail=soft ike-frag=yes ikev2=never ike=aes128-sha2_256;modp2048 esp=aes128-sha2_256;modp2048
Sorry, the keylen value shows as 0x0100 which is 256, not 128, so try: ike=aes256-sha2_256;modp2048 esp=aes256-sha2_256;modp2048
(p: #1 protoid=isakmp transform=15 (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth value=fde9)(type=hash value=sha2-256)(type=group desc value=modp2048))
Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
