[strongSwan] Setup client using main mode/draft-ietf-ipsec-nat-t-ike-02

Martin Willi martin at strongswan.org
Thu Jun 6 10:04:47 CEST 2013

Hi Damien,

> - a p12 and its password.

>     Exchange type: Identity Protection (Main Mode) (2)
>     Type Payload: Security Association (1)
>     Type Payload: Vendor ID (13) : XAUTH
>     Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
>     Type Payload: Vendor ID (13) : Microsoft L2TP/IPSec VPN Client
>     Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
>     Type Payload: Vendor ID (13) : CISCO-UNITY 1.0

> can someone confirm that strongswan can hanlde this VPN?

Yes, chances are good that this works with strongSwan, go for the latest

> If so, is there an example confirguration file for this specific
> VPN?

Seems that this setup uses Main Mode with certificate authentication.
I'd guess that it uses Mode Config to assign a virtual IP.

I'd try with a configuration similar to that of Carol in [1]. Because we
don't have direkt PKCS#12 support, you'll have to extract the
certificates and the private key from the container using OpenSSL, then
install them to /etc/ipsec.d/{cacerts,certs,private}.

If you need support for split tunneling, you can try to --enable-unity
during ./configure. 

There are some useful changes in our git master branch, coming with the
next release: PKCS#12 support and a simple command line client
(charon-cmd). That should make your setup significantly simpler. But for
that you'd have to build from git sources (see [2]), or wait for the
next release, scheduled for the end of the month.



More information about the Users mailing list