On Tue, 19 Dec 2017, Computerisms Corporation wrote:
For the firewall cert (not sure if it is required, but in the troubleshooting
process I ended up adding it) I put a DNS: SubjectAltName as well as an IP:
SubjectAltName.
It is required. Whatever the ID you use in the xml, that has to be a SAN
on the cert. So if your ID is an IP, you need the IP: SAN. If you use a
hostname as ID, you need to have the hostname on the SAN.
The default ike and phase2alg settings didn't work for neither of windows 7,
windows 10, or mac os 10.10, at least for me. I had to adjust them according
to the proposals I found in the logs.
yes, because of a bug in Windows IKEv2. This is known by them as:
MSRC Case Opened: 35732 - IKEv2 - Diffie-Hellman to MODP-1024 Bypass
TRK:0901001101
I filed it in October 2016. The latest update on this is that it will be
fixed in "Spring 2018".
My working conn:
ike=aes256-sha384-modp1024,aes256-sha256-modp2048,aes256-sha512-modp8192,aes256-sha512-modp2048
phase2alg=aes256-sha1,aes256-sha512;modp4096
You should put the weak modp1024 in the end so that the proposal is the
least favourite. That way clients announcing support for weak and strong
will get strong instead of weak. I use:
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512
This also prefers AES_GCM over AES for ESP, since it is stronger and
takes up a lot less CPU.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
