> > > Thanks all for the assistance; I got it figured out. PSK is only IKEv1, so > I had to change the Linux config version to 1. > I'd prefer IKEv2 whenever possible, but you are right: It doesn't support PSK on Windows. Use certificates instead. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2 The only problem here is you need to add a certificate (or its CA) to the "Trusted" store explicitly (unless you decide to use a certificate from a well-known CA of course).
Certificates are more secure as a shared secret is a bad decision in any case (I am against PSK for production except marginal cases like GRE+IPSec in Mikrotik, and even there be sure to use long random string, not a user-readable password) > After that, I could see different errors with 'swanctl --log' stating the > proposals didn't match. > You can increase logging to see proposals list Windows sends to you: https://docs.strongswan.org/docs/5.9/config/logging.html Not sure if it works for ``swanctl --log``, but it definitely works for any other logging system (syslog, journal etc) > Windows doesn't support Diffie-Hellman on ESP proposals, so I just had to > remove that from the Linux config: > I am aware of the fact that Windows 7 doesn't support DH for CHILD_SA (which I believe is only used for PFS), so you need to disable the DH group (as you did). It seems that Win10 still doesn't support it:(