[strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2
bls s
bls3427 at outlook.com
Wed Sep 26 20:54:47 CEST 2018
Not trying to muddy the waters, but I think it depends on what Auth method you're using. If you're using cert-based auth with IKEV2 I don't think that there's any way to send an ID. On the other hand, if you're using IPSEC with a pre-shared key, I think you can coerce the selection of a different connection.
It would definitely be interesting to get some definitive input and validated testing on this!
From: Users <users-bounces at lists.strongswan.org> on behalf of Marwan Khalili <choklad_321 at hotmail.com>
Sent: Wednesday, September 26, 2018 5:16 AM
To: Christian Salway
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2
I have looked through the options but can not find it. Would be very grateful if you could describe how to do it when you have time.
I am using the VPN client built-in Windows 10. I have searched for an option corresponding the "Remote ID" in macOS in the following locations to no avail:
- Settings -> Network & Internet -> VPN
- Control Panel -> Network and Internet -> Network Connections
- rasphone.pbk - %APPDATA%\Microsoft\Network\Connections\Pbk\rasphone.pbk
- PowerShell documentation for Add-VpnConnection and Set-VpnConnectionIPsecConfiguration
From: Christian Salway <christian.salway at naimuri.com>
Sent: Wednesday, September 26, 2018 01:29
To: bls s
Cc: Marwan Khalili; users at lists.strongswan.org
Subject: Re: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2
You can set the ID in windows 10 if you go through the options for the connection you will see it. Not near a computer otherwise I’d get you the instructions.
On 26 Sep 2018, at 02:30, bls s <bls3427 at outlook.com> wrote:
I'm curious about this as well. From my work on pistrong (see elsewhere), it looks to me like Windows doesn't have a way to send an ID that you can use for matching. I haven't tried this, but you might be able to make it work by using a separate "VPN certificate" for the Windows connection that has an altname in it corresponding to a secondary DNS name for your server. You can then have Windows connect to the secondary DNS name and, in theory, it would eventually match that connection.
Again, just a theory, I'm definitely interested in other approaches to solving this.
From: Users <users-bounces at lists.strongswan.org> on behalf of Marwan Khalili <choklad_321 at hotmail.com>
Sent: Tuesday, September 25, 2018 7:47 AM
To: users at lists.strongswan.org
Subject: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2
Hello,
I have a strongSwan server running with the ipsec.conf pasted below.
The clients are using Windows 10 and macOS and they must be able to choose connection. I am trying to separate the connections using "leftid" with different subdomains for each connection (e.g. vpn1.example.org, vpn2.example.org).
My solution below works in macOS by matching "Remote ID" with the appropriate "leftid", however I can't get it to work in Windows 10.
I am very grateful to any help or ideas of how I can solve this.
ipsec.conf
--------------
conn %default
auto=add
dpdaction=clear
dpddelay=180s
eap_identity=%any
esp=aes256-sha256,aes256-sha1,3des-sha1!
forceencaps=yes
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
keyexchange=ikev2
leftcert=cert.pem
leftsendcert=always
rightauth=eap-mschapv2
rightsendcert=never
conn conn1
left=%any
leftid=@vpn1.example.org
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.1/24
conn conn2
left=%any
leftid=@vpn2.khalili.xyz
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.2/24
More information about the Users
mailing list