[strongSwan] Setup client using main mode/draft-ietf-ipsec-nat-t-ike-02

Damien Benoist dams.benoist at gmail.com
Mon Jun 17 09:08:50 CEST 2013


Martin,

I did the changes you suggested.
I now get a "connection 'cnx' established successfully.
So it seems that the client and server now understand eachother.

I expected to have a new network interface.
Some threads are talking of an "ipsec" interface
but I have none.
So I just don't know how to use the connection.
Can you tell me what I have to do now
or point me to the right doc?

Thanks again!


2013/6/11 Martin Willi <martin at strongswan.org>:
> Damien,
>
>> Encryption-Algorithm : 3DES-CBC
>> Hash-Algorithm : SHA
>> Alternate 1024-bit MODP group
>
> The IKE proposal uses 3des-sha1, the responder might not like our
> default set (aes128-sha1 or 3des-md5). You might try it with:
>
>   ike=3des-sha1-modp1024!
>
> But the default might work as well, depends on the responder what it
> allows.
>
>> Authentication-Method : XAUTHInitRSA
>
> Looks like the responder expects RSA client authentication followed by
> an XAuth exchange. You can configure this using:
>
>   leftauth=pubkey
>   leftauth2=xauth
>
> Have a look at [1] for a complete example. Beside the
> certificate/private key from the PKCS#12 container, you'll need a
> password in ipsec.secrets.
>
> Regards
> Martin
>
> [1]http://www.strongswan.org/uml/testresults/ikev1/xauth-rsa/index.html
>
>




More information about the Users mailing list