Hi, > >>> I've also added the "NegotiateDH2048_AES256" DWORD as per this doc: > >>> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 > >> > >> Instead of tweaking the registry, you might rather use the Windows > >> Powershell, and specifically Set-VpnConnectionIPsecConfiguration: > >> https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps > >> > >> Fair warning: do not use ECP curves for DH group and PfsGroup, because > >> you won't be able to connect from Win10 to libreswan with those. > >> Also, do not use elliptic curves (ECDSA) certificates, because you won't > >> be able to connect from Win10 to libreswan either. > >> As a side note, Windows will reject its own certificate if it uses ECDSA
I followed the instructions to create a cert from this libreswan page: https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 How can I tell what type of cert I'm using? > >> and the DH group does /not/ use EC ciphers, raising the (possibly > >> confusing) error 13806. > > > > I've read over your comments multiple times and I'm really not sure I > > understand. > That is probably because my comment assumes some familiarity with IKE > encryption and authentication methods. > > This is the command I've now tried to use, unsuccessfully: > > > > Set-VpnConnectionIPsecConfiguration -ConnectionName "ikev2-cp" > > -AuthenticationTransformConstants SHA256128 -CipherTransformConstants > > AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup > > ECP384 -DHGroup ECP384 -PassThru -Force > > This command uses ECP curves for DH group and PfsGroup, which is what I > said libreswan is *not* able to accept in this scenario. > > One hint might be: > Set-VpnConnectionIPsecConfiguration -ConnectionName "ikev2-cp" > -AuthenticationTransformConstants SHA256128 -CipherTransformConstants > AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup > PFS2048 -DHGroup Group14 -PassThru -Force > > DH Group14 means MODP2048: > https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-8 I've done this, and it appears to make no difference. There doesn't appear to be any further references to modp1024, but I have no idea what to do next. > I also changed -IntegrityCheckMethod SHA384 to SHA256 because SHA384 is > not part of the libreswan default set shown below. You may use ike=... > and esp=... to configure that. See the ipsec.conf manpage for details > about how to configure those. You may want to start with the default set > though. Based on the strongswan page, I've added the following: ike=aes256-sha384-prfsha384-modp2048 esp=aes256gcm16-modp2048 > Here's some instruction on how to configure the windows connection to > use machine certificates. > https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config > > Is it possible you have some "auto" property setting somewhere? I have followed those instructions explicitly and multiple times. Can I ask you to review this pastebin output from an attempt to connect? https://pastebin.com/D83HRJnW This is with "plutodebug = all crypt". In addition to the NO_PROPOSAL_CHOSEN messages, the highlights appear to include: find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500 policy=PSK+IKEV2_ALLOW but ignoring ports Thanks so much, Alex _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
