Thanks Ariel.
With that tip and a little more fiddling, I've gotten it to work. However I'm
now stuck behind the issue that I can't have more than one client behind a
single NAT firewall. Google and the mailing list archives seem to say that
this is a known issue with no current publicly available solutions - except for
l2tp, which isn't an option for me.
I've had a play with tunnel mode as well, but windows 7 doesn't seem to support
pushing IP's to the client via modecfg, and I'm not sure that would work around
the issue anyway :-)
Ho-hum.
Thanks,
Tristan
Tristan Ball - Hosted Services Manager VIC
Pronto Hosted Services
20 Lakeside Drive, Burwood East, VIC 3151
Phone: +61 3 9887 7770 | Email: [email protected]
Mobile: +61 408 397 473
For PHS helpdesk support, please email [email protected]
For urgent after hours support phone: 1800 622 556
-----Original Message-----
From: Ariel [mailto:[email protected]]
Sent: Wednesday, 5 October 2011 10:09 PM
To: Tristan Ball
Cc: [email protected]
Subject: Re: [strongSwan] Transport mode for Windows Vista/7 RoadWarriors?
The built-in Windows VPN client uses IKEv1 (strongSwan attempts to use IKEv2 by
default), so add:
keyexchange=ikev1
to your options and you should now see it being caught in your pluto.log (pluto
is the IKEv1 daemon, charon is for IKEv2).
-a
On Oct 4, 2011, at 5:13 PM, Tristan Ball wrote:
> Hi,
> Can someone tell me if the following is doable? I'd like to
> be able to provide a transport mode connection to a single server for a pool
> of Windows vista/7 road warriors - who may or may not be behind NAT depending
> on the day.
>
> The end users are the roaming users for a customer of mine, and they're
> opposed to VPN's for complexity and maintenance reasons - however I have a
> need to provide secure access to applications running on a server I host for
> them. I had hoped to use the windows firewall connection profiles to start a
> tunnel mode connection, which to the end user would be essentially
> transparent and hopefully negate some of the pushback against VPN's.
>
> All the strongswan documentation seems to refer to tunnel mode, and the
> windows examples in particular seem to hard code end point IP addresses - I
> don't think that's going to work for roaming users.
>
> For my lab setup I've been attempting to start a connection using preshared
> keys, but I can't get past "initial Main Mode message received on
> 203.89.x.x:500 but no connection has been authorized with policy=PSK" in the
> pluto logs.
>
> My ipsec.conf is pretty simple:
>
> conn winclient
> type=transport
> left=%defaultroute
> right=%any
> authby=secret
> pfs=no
> auto=add
>
> Can anyone provide assistance with this setup?
>
> Many thanks.
>
> Tristan
>
>
> <phs-logo4ff.png>
> Tristan Ball - Hosted Services Manager VIC Pronto Hosted Services
> 20 Lakeside Drive, Burwood East, VIC 3151
> Phone: +61 3 9887 7770 | Email: [email protected]
> Mobile: +61 408 397 473
>
> <personal298a.png>
> For PHS helpdesk support, please email [email protected] For urgent
> after hours support phone: 1800 622 556
>
>
>
> <personal240e3.png>
> ---Legal Notice---
> The email message and any attachments are confidential and subject to
> copyright. If you are not the intended recipient, any use, interference with,
> disclosure or copying of this material is unauthorised and prohibited. No
> part may be reproduced, adapted or transmitted without the written permission
> of the copyright owner. If you have received this email in error, please
> immediately advise the sender by return email and delete the message from
> your system. Before opening or using attachments, check for viruses and
> defects. Our liability is limited to re-supplying any affected attachments.
>
> <personal255dc.png>
>
>
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
