[strongSwan] Strongswan Host-to-Host Connection Linux to Windows
Tyler Phillippe
tylerphillippe at gmail.com
Fri May 20 17:52:10 CEST 2022
Thanks all for the assistance; I got it figured out. PSK is only IKEv1, so
I had to change the Linux config version to 1. After that, I could see
different errors with 'swanctl --log' stating the proposals didn't match.
Windows doesn't support Diffie-Hellman on ESP proposals, so I just had to
remove that from the Linux config:
connections {
linuxHost {
local_addrs = (Linux machine)
remote_addrs = (Windows machine)
proposals = aes128-sha256-modp2048
local {
auth = psk
}
remote {
auth = psk
}
children {
linuxHost {
esp_proposals = aes128-sha256
mode = transport
}
}
version = 1
reauth_time = 10800
}
}
secrets {
ike {
secret = 123abc
}
}
On Fri, May 20, 2022 at 10:20 AM G J <bls3427 at outlook.com> wrote:
> Here’s what I use for my system. Both Win10 and Win11 are able to connect
> to it just fine. I’m using certs rather than psk, but you should be able to
> work past that. Also, you might want to have a look at
> https://github.com/gitbls/pistrong/blob/master/CertInstall.md. Although
> it discusses installing Certs on Win10, some of the settings are
> appropriate regardless whether it’s cert or psk.
>
>
>
> windows-pubkey-ikev2 {
>
> version = 2
>
> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> rekey_time = 0s
>
> pools = primary-pool-ipv4
>
> fragmentation = yes
>
> dpd_delay = 30s
>
>
>
> local-1 {
>
> auth = pubkey
>
> cacerts = strongSwanCACert.pem
>
> certs = windows-strongSwanVPNCert.pem
>
> id = windows.mydom.com
>
> }
>
>
>
> remote-1 {
>
> id = %any
>
> }
>
>
>
> children {
>
> net-windows {
>
> local_ts = 0.0.0.0/0
>
> rekey_time = 0s
>
> dpd_action = clear
>
> esp_proposals =
> aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> }
>
> }
>
> }
>
> }
>
> pools {
>
> primary-pool-ipv4 {
>
> addrs = 10.92.10.0/24
>
> dns = 192.168.92.3
>
> }
>
> }
>
>
>
>
>
> *From:* Users <users-bounces at lists.strongswan.org> *On Behalf Of *Tyler
> Phillippe
> *Sent:* Friday, May 20, 2022 6:51 AM
> *To:* IL Ka <kazakevichilya at gmail.com>
> *Cc:* users at lists.strongswan.org
> *Subject:* Re: [strongSwan] Strongswan Host-to-Host Connection Linux to
> Windows
>
>
>
> Here are the Linux logs - connecting to a Win10 21H2 machine right now for
> testing, will migrate over to Server 2019/2022 eventually. Thanks!
>
>
>
> 09[NET] received packet: from Windows[500] to Linux[500] (256 bytes)
> 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
> 09[IKE] no IKE config found for Linux...Windows, sending NO_PROPOSAL_CHOSEN
> 09[ENC] generating INFORMATIONAL_V1 request 2032397121 [ N(NO_PROP) ]
> 09[NET] sending packet: from Linux[500] to Windows[500] (40 bytes)
> 05[NET] received packet: from Windows[500] to Linux[500] (256 bytes)
> 05[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
> 05[IKE] no IKE config found for Linux...Windows, sending NO_PROPOSAL_CHOSEN
> 05[ENC] generating INFORMATIONAL_V1 request 1617066194 [ N(NO_PROP) ]
> 05[NET] sending packet: from Linux[500] to Windows[500] (40 bytes)
> 11[NET] received packet: from Windows[500] to Linux[500] (256 bytes)
> 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
> 11[IKE] no IKE config found for Linux...Windows, sending NO_PROPOSAL_CHOSEN
> 11[ENC] generating INFORMATIONAL_V1 request 728440835 [ N(NO_PROP) ]
> 11[NET] sending packet: from Linux[500] to Windows[500] (40 bytes)
>
>
>
> On Fri, May 20, 2022 at 9:43 AM IL Ka <kazakevichilya at gmail.com> wrote:
>
> What about Linux logs?
>
> Run ``swanctl --log`` on Linux and reinitiate connection.
>
> Which version of Windows btw?
>
>
>
> On Fri, May 20, 2022 at 4:16 PM Tyler Phillippe <tylerphillippe at gmail.com>
> wrote:
>
> Hello all! I am attempting to connect a Linux machine to Windows via
> Strongswan in a host-to-host configuration. I tested with Windows to
> Windows using the built-in firewall and it connected instantly. I changed
> the default Windows integrity and encryption ciphers and I think I changed
> them in the Linux Strongswan configuration. However, I am not getting any
> connection between the hosts and I can't find any logs on the Windows
> machine to help me narrow down what the issue is. It definitely does not
> work, since the SSH session on the Linux machine fails out. Below is the
> swanctl.conf file on my Linux machine. And, I know it's not the most secure
> method - I'm just trying to get it to initially connect with a PSK since
> that's the simplest for now. Windows doesn't support modp3072
> unfortunately, so I had to manually set the Linux config below to modp2048.
> The Windows firewall is set to use AES-CBC 128, SHA-256, MODP2048 for key
> exchange and ESP AES-CBC 128, SHA-256 for data protection. What am I doing
> wrong? Thanks everyone!!
>
>
>
> connections {
> linuxHost {
> local_addrs = (Linux machine)
> remote_addrs = (Windows machine)
> proposals = aes128-sha256-modp2048
> local {
> auth = psk
> }
> remote {
> auth = psk
> }
> children {
> linuxHost {
> esp_proposals = aes128-sha256-modp2048
> mode = transport
> }
> }
> version = 2
> reauth_time = 10800
> }
> }
>
> secrets {
> ike {
> secret = <psk>
> }
> }
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220520/54fc1769/attachment.html>
More information about the Users
mailing list