<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Here’s what I use for my system. Both Win10 and Win11 are able to connect to it just fine. I’m using certs rather than psk, but you should be able to work past that. Also, you might want to have a look at
<a href="https://github.com/gitbls/pistrong/blob/master/CertInstall.md">https://github.com/gitbls/pistrong/blob/master/CertInstall.md</a>. Although it discusses installing Certs on Win10, some of the settings are appropriate regardless whether it’s cert or
psk.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> windows-pubkey-ikev2 {<o:p></o:p></p>
<p class="MsoNormal"> version = 2<o:p></o:p></p>
<p class="MsoNormal"> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default<o:p></o:p></p>
<p class="MsoNormal"> rekey_time = 0s<o:p></o:p></p>
<p class="MsoNormal"> pools = primary-pool-ipv4<o:p></o:p></p>
<p class="MsoNormal"> fragmentation = yes<o:p></o:p></p>
<p class="MsoNormal"> dpd_delay = 30s<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> local-1 {<o:p></o:p></p>
<p class="MsoNormal"> auth = pubkey<o:p></o:p></p>
<p class="MsoNormal"> cacerts = strongSwanCACert.pem<o:p></o:p></p>
<p class="MsoNormal"> certs = windows-strongSwanVPNCert.pem<o:p></o:p></p>
<p class="MsoNormal"> id = windows.mydom.com<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> remote-1 {<o:p></o:p></p>
<p class="MsoNormal"> id = %any<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> children {<o:p></o:p></p>
<p class="MsoNormal"> net-windows {<o:p></o:p></p>
<p class="MsoNormal"> local_ts = 0.0.0.0/0<o:p></o:p></p>
<p class="MsoNormal"> rekey_time = 0s<o:p></o:p></p>
<p class="MsoNormal"> dpd_action = clear<o:p></o:p></p>
<p class="MsoNormal"> esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"> pools {<o:p></o:p></p>
<p class="MsoNormal"> primary-pool-ipv4 {<o:p></o:p></p>
<p class="MsoNormal"> addrs = 10.92.10.0/24<o:p></o:p></p>
<p class="MsoNormal"> dns = 192.168.92.3<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Users <users-bounces@lists.strongswan.org> <b>On Behalf Of
</b>Tyler Phillippe<br>
<b>Sent:</b> Friday, May 20, 2022 6:51 AM<br>
<b>To:</b> IL Ka <kazakevichilya@gmail.com><br>
<b>Cc:</b> users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] Strongswan Host-to-Host Connection Linux to Windows<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Here are the Linux logs - connecting to a Win10 21H2 machine right now for testing, will migrate over to Server 2019/2022 eventually. Thanks!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">09[NET] received packet: from Windows[500] to Linux[500] (256 bytes)<br>
09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]<br>
09[IKE] no IKE config found for Linux...Windows, sending NO_PROPOSAL_CHOSEN<br>
09[ENC] generating INFORMATIONAL_V1 request 2032397121 [ N(NO_PROP) ]<br>
09[NET] sending packet: from Linux[500] to Windows[500] (40 bytes)<br>
05[NET] received packet: from Windows[500] to Linux[500] (256 bytes)<br>
05[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]<br>
05[IKE] no IKE config found for Linux...Windows, sending NO_PROPOSAL_CHOSEN<br>
05[ENC] generating INFORMATIONAL_V1 request 1617066194 [ N(NO_PROP) ]<br>
05[NET] sending packet: from Linux[500] to Windows[500] (40 bytes)<br>
11[NET] received packet: from Windows[500] to Linux[500] (256 bytes)<br>
11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]<br>
11[IKE] no IKE config found for Linux...Windows, sending NO_PROPOSAL_CHOSEN<br>
11[ENC] generating INFORMATIONAL_V1 request 728440835 [ N(NO_PROP) ]<br>
11[NET] sending packet: from Linux[500] to Windows[500] (40 bytes)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Fri, May 20, 2022 at 9:43 AM IL Ka <<a href="mailto:kazakevichilya@gmail.com">kazakevichilya@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">What about Linux logs? <o:p></o:p></p>
<div>
<p class="MsoNormal">Run ``swanctl --log`` on Linux and reinitiate connection. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Which version of Windows btw? <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Fri, May 20, 2022 at 4:16 PM Tyler Phillippe <<a href="mailto:tylerphillippe@gmail.com" target="_blank">tylerphillippe@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Hello all! I am attempting to connect a Linux machine to Windows via Strongswan in a host-to-host configuration. I tested with Windows to Windows using the built-in firewall and it connected instantly. I changed the default Windows integrity
and encryption ciphers and I think I changed them in the Linux Strongswan configuration. However, I am not getting any connection between the hosts and I can't find any logs on the Windows machine to help me narrow down what the issue is. It definitely does
not work, since the SSH session on the Linux machine fails out. Below is the swanctl.conf file on my Linux machine. And, I know it's not the most secure method - I'm just trying to get it to initially connect with a PSK since that's the simplest for now. Windows
doesn't support modp3072 unfortunately, so I had to manually set the Linux config below to modp2048. The Windows firewall is set to use AES-CBC 128, SHA-256, MODP2048 for key exchange and ESP AES-CBC 128, SHA-256 for data protection. What am I doing wrong?
Thanks everyone!!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">connections {<br>
linuxHost {<br>
local_addrs = (Linux machine)<br>
remote_addrs = (Windows machine)<br>
proposals = aes128-sha256-modp2048<br>
local {<br>
auth = psk<br>
}<br>
remote {<br>
auth = psk<br>
}<br>
children {<br>
linuxHost {<br>
esp_proposals = aes128-sha256-modp2048<br>
mode = transport<br>
}<br>
}<br>
version = 2<br>
reauth_time = 10800<br>
}<br>
}<br>
<br>
secrets {<br>
ike {<br>
secret = <psk><br>
}<br>
}<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</body>
</html>