Hi,
Thanks to Paul's generous help I was able to get mac and windows working
together as they should. For the benefit of others trying the same, I
am just posting here some hints in case they are helpful.
For the mac, you need a .mobileconfig xml file. you will need to put
base64 values for the certs, and change the password and hosts and such.
When you get it right and open the file on the mac it will show you
the CA and the user cert.
For the firewall cert (not sure if it is required, but in the
troubleshooting process I ended up adding it) I put a DNS:
SubjectAltName as well as an IP: SubjectAltName.
The default ike and phase2alg settings didn't work for neither of
windows 7, windows 10, or mac os 10.10, at least for me. I had to
adjust them according to the proposals I found in the logs.
My working conn:
conn rw-ikev2
authby=rsasig
left=XX.XX.XX.XX
leftsubnet=0.0.0.0/0
leftcert=fw.computerisms.ca
leftid=%fromcert
leftrsasigkey=%cert
leftsendcert=always
right=%any
rightid=%fromcert
rightca=%same
rightrsasigkey=%cert
rightsendcert=always
rightmodecfgclient=yes
rightaddresspool=10.25.0.2-10.25.0.20
narrowing=yes
modecfgdns1=192.168.123.254
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
pfs=yes
ike=aes256-sha384-modp1024,aes256-sha256-modp2048,aes256-sha512-modp8192,aes256-sha512-modp2048
phase2alg=aes256-sha1,aes256-sha512;modp4096
--
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
www.computerisms.ca
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
