On Tue, 4 Jan 2022, Mirsad Goran Todorovac wrote:
I have a couple of questions:
1. I have added:
pfs=yes
type=tunnel
to my IKEv1 configuration, as Paul asserted there are issues with the
transport mode connection. Is that legal? I can't see much from Googling, as
the libreswan doc site example also uses transport mode.
It just won't be compatible with some implementations, although some are
willing to do it. Note that you cannot configure libreswan to do either
transport or tunnel, so you have to get all of your clients using the
same mode. I doubt you can tweak windows as a clientto use tunnel mode.
2. Regarding my IKEv2 connection attempt, it seems that NSS is unable to find
the CA cert, but it appears to be in the key store:
root@domac:~# certutil -L -d sql:/var/lib/ipsec/nss
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
vpn.alu.hr u,u,u
ALU-UNIZG CA ,,
This does not seem to be showing the proper trust bits for the CA, eg:
[root@thinkpad interop-ikev2-eaptls-strongswan-client]# certutil -L -d
/var/lib/ipsec/nss
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
letoams.nohats.ca u,u,u
Certificate Agency (CA) - No Hats Corporation CT,,
west-bigsig u,u,u
Libreswan test CA for mainca - Libreswan CT,,
you can try running ipsec --checknss which can fix some of these issues.
Otherwise use certutil to add "CT,," to your CA.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
