[strongSwan] Setup client using main mode/draft-ietf-ipsec-nat-t-ike-02
Martin Willi
martin at strongswan.org
Thu Jun 6 10:04:47 CEST 2013
Hi Damien,
> - a p12 and its password.
> Exchange type: Identity Protection (Main Mode) (2)
> Type Payload: Security Association (1)
> Type Payload: Vendor ID (13) : XAUTH
> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
> Type Payload: Vendor ID (13) : Microsoft L2TP/IPSec VPN Client
> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
> Type Payload: Vendor ID (13) : CISCO-UNITY 1.0
> can someone confirm that strongswan can hanlde this VPN?
Yes, chances are good that this works with strongSwan, go for the latest
release.
> If so, is there an example confirguration file for this specific
> VPN?
Seems that this setup uses Main Mode with certificate authentication.
I'd guess that it uses Mode Config to assign a virtual IP.
I'd try with a configuration similar to that of Carol in [1]. Because we
don't have direkt PKCS#12 support, you'll have to extract the
certificates and the private key from the container using OpenSSL, then
install them to /etc/ipsec.d/{cacerts,certs,private}.
If you need support for split tunneling, you can try to --enable-unity
during ./configure.
There are some useful changes in our git master branch, coming with the
next release: PKCS#12 support and a simple command line client
(charon-cmd). That should make your setup significantly simpler. But for
that you'd have to build from git sources (see [2]), or wait for the
next release, scheduled for the end of the month.
Regards
Martin
[1]http://www.strongswan.org/uml/testresults/ikev1/rw-cert/index.html
[2]http://git.strongswan.org/?p=strongswan.git;a=blob;f=HACKING;hb=HEAD
More information about the Users
mailing list