Hi, > > Is there documentation available on how to configure > > it with libreswan? > > Yes, see our libreswan examples on the website.
I followed the examples outlined on this page, including importing the pkcs12 file with ipsec and building an ipsec.conf for the VPN server. https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 I was able to import the cert successfully on win10. When I try to connect, I receive a "Policy match error". How do I troubleshoot this? I have made the registry changes for "Windows Certificate requirements" and "L2TP / IPsec with the server behind NAT" as per this doc: https://libreswan.org/wiki/Interoperability#Windows_Certificate_requirements I've also added the "NegotiateDH2048_AES256" DWORD as per this doc: https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 I'm also seeing the following in pluto.log: Dec 23 22:31:29.242048: "ikev2-cp"[4] 192.168.1.35 #7: no local proposal matches remote proposals 1:IKE:ENCR=3DES;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024 3:IKE:ENCR=3DES;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 4:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 5:IKE:ENCR=3DES;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 6:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 Dec 23 22:31:29.242065: "ikev2-cp"[4] 192.168.1.35 #7: responding to IKE_SA_INIT message (ID 0) from 192.168.1.35:500 with unencrypted notification NO_PROPOSAL_CHOSEN The win10 laptop I am using is connected to our internal network on 192.168.1.35. The libreswan server has a public IP (which I've specified as the endpoint for the win10 client), but also is the Internet gateway for the win10 client as 192.168.1.1. Is it possible to connect to the libreswan server while being on the same internal network? The network looks like this: 68.195.111.42 <--> 192.168.1.1 <--> internal network with win10 client 192.168.1.35 If not, is there another way to test this without having to go outside the local network? Here is my windows.conf config file: conn ikev2-cp left=68.195.111.42 leftcert=vpn.mycompany.com [email protected] leftsendcert=always leftsubnet=0.0.0.0/0 leftrsasigkey=%cert right=%any rightaddresspool=192.168.6.2-192.168.6.254 rightca=%same rightrsasigkey=%cert modecfgdns=8.8.8.8,8.8.4.4 narrowing=yes dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no fragmentation=yes _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
