[strongSwan] Strongswan Host-to-Host Connection Linux to Windows

Tyler Phillippe tylerphillippe at gmail.com
Sat May 21 02:49:14 CEST 2022


Adding one more note to this for anyone in the future - even with
certificates on both machines, Windows defaults to IKEv1 - I imagine this
is for legacy support out of the box. If you want to change it over to
IKEv2 in Windows (which subsequently stops the invalid header logs on the
Linux machine), use the Set-NetIPsecRule command, using parameters
-IPsecRuleName "{<name>}" and -KeyModule IKEv2. I changed the version to 2
on the StrongSwan configuration and restarted the service. Worked the first
time. Thanks all!

On Fri, May 20, 2022 at 11:52 AM Tyler Phillippe <tylerphillippe at gmail.com>
wrote:

> Thanks all for the assistance; I got it figured out. PSK is only IKEv1, so
> I had to change the Linux config version to 1. After that, I could see
> different errors with 'swanctl --log' stating the proposals didn't match.
> Windows doesn't support Diffie-Hellman on ESP proposals, so I just had to
> remove that from the Linux config:
>
> connections {
>     linuxHost {
>         local_addrs = (Linux machine)
>         remote_addrs = (Windows machine)
>         proposals = aes128-sha256-modp2048
>         local {
>             auth = psk
>         }
>         remote {
>             auth = psk
>         }
>         children {
>             linuxHost {
>                 esp_proposals = aes128-sha256
>                 mode = transport
>             }
>         }
>         version = 1
>         reauth_time = 10800
>     }
> }
>
> secrets {
>     ike {
>         secret = 123abc
>     }
> }
>
> On Fri, May 20, 2022 at 10:20 AM G J <bls3427 at outlook.com> wrote:
>
>> Here’s what I use for my system. Both Win10 and Win11 are able to connect
>> to it just fine. I’m using certs rather than psk, but you should be able to
>> work past that. Also, you might want to have a look at
>> https://github.com/gitbls/pistrong/blob/master/CertInstall.md. Although
>> it discusses installing Certs on Win10, some of the settings are
>> appropriate regardless whether it’s cert or psk.
>>
>>
>>
>>     windows-pubkey-ikev2 {
>>
>>         version = 2
>>
>>         proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>>
>>         rekey_time = 0s
>>
>>         pools = primary-pool-ipv4
>>
>>         fragmentation = yes
>>
>>         dpd_delay = 30s
>>
>>
>>
>>         local-1 {
>>
>>              auth = pubkey
>>
>>              cacerts = strongSwanCACert.pem
>>
>>              certs = windows-strongSwanVPNCert.pem
>>
>>              id = windows.mydom.com
>>
>>         }
>>
>>
>>
>>         remote-1 {
>>
>>              id = %any
>>
>>         }
>>
>>
>>
>>         children {
>>
>>              net-windows {
>>
>>                  local_ts = 0.0.0.0/0
>>
>>                  rekey_time = 0s
>>
>>                  dpd_action = clear
>>
>>                  esp_proposals =
>> aes256-sha1-modp1024,aes192-sha256-modp3072,default
>>
>>              }
>>
>>         }
>>
>>     }
>>
>> }
>>
>>     pools {
>>
>>     primary-pool-ipv4 {
>>
>>         addrs = 10.92.10.0/24
>>
>>         dns = 192.168.92.3
>>
>>     }
>>
>> }
>>
>>
>>
>>
>>
>> *From:* Users <users-bounces at lists.strongswan.org> *On Behalf Of *Tyler
>> Phillippe
>> *Sent:* Friday, May 20, 2022 6:51 AM
>> *To:* IL Ka <kazakevichilya at gmail.com>
>> *Cc:* users at lists.strongswan.org
>> *Subject:* Re: [strongSwan] Strongswan Host-to-Host Connection Linux to
>> Windows
>>
>>
>>
>> Here are the Linux logs - connecting to a Win10 21H2 machine right now
>> for testing, will migrate over to Server 2019/2022 eventually. Thanks!
>>
>>
>>
>> 09[NET] received packet: from Windows[500] to Linux[500] (256 bytes)
>> 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
>> 09[IKE] no IKE config found for Linux...Windows, sending
>> NO_PROPOSAL_CHOSEN
>> 09[ENC] generating INFORMATIONAL_V1 request 2032397121 [ N(NO_PROP) ]
>> 09[NET] sending packet: from Linux[500] to Windows[500] (40 bytes)
>> 05[NET] received packet: from Windows[500] to Linux[500] (256 bytes)
>> 05[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
>> 05[IKE] no IKE config found for Linux...Windows, sending
>> NO_PROPOSAL_CHOSEN
>> 05[ENC] generating INFORMATIONAL_V1 request 1617066194 [ N(NO_PROP) ]
>> 05[NET] sending packet: from Linux[500] to Windows[500] (40 bytes)
>> 11[NET] received packet: from Windows[500] to Linux[500] (256 bytes)
>> 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
>> 11[IKE] no IKE config found for Linux...Windows, sending
>> NO_PROPOSAL_CHOSEN
>> 11[ENC] generating INFORMATIONAL_V1 request 728440835 [ N(NO_PROP) ]
>> 11[NET] sending packet: from Linux[500] to Windows[500] (40 bytes)
>>
>>
>>
>> On Fri, May 20, 2022 at 9:43 AM IL Ka <kazakevichilya at gmail.com> wrote:
>>
>> What about Linux logs?
>>
>> Run ``swanctl --log`` on Linux and reinitiate connection.
>>
>> Which version of Windows btw?
>>
>>
>>
>> On Fri, May 20, 2022 at 4:16 PM Tyler Phillippe <tylerphillippe at gmail.com>
>> wrote:
>>
>> Hello all! I am attempting to connect a Linux machine to Windows via
>> Strongswan in a host-to-host configuration. I tested with Windows to
>> Windows using the built-in firewall and it connected instantly. I changed
>> the default Windows integrity and encryption ciphers and I think I changed
>> them in the Linux Strongswan configuration. However, I am not getting any
>> connection between the hosts and I can't find any logs on the Windows
>> machine to help me narrow down what the issue is. It definitely does not
>> work, since the SSH session on the Linux machine fails out. Below is the
>> swanctl.conf file on my Linux machine. And, I know it's not the most secure
>> method - I'm just trying to get it to initially connect with a PSK since
>> that's the simplest for now. Windows doesn't support modp3072
>> unfortunately, so I had to manually set the Linux config below to modp2048.
>> The Windows firewall is set to use AES-CBC 128, SHA-256, MODP2048 for key
>> exchange and ESP AES-CBC 128, SHA-256 for data protection. What am I doing
>> wrong? Thanks everyone!!
>>
>>
>>
>> connections {
>>     linuxHost {
>>         local_addrs =  (Linux machine)
>>         remote_addrs =  (Windows machine)
>>         proposals = aes128-sha256-modp2048
>>         local {
>>             auth = psk
>>         }
>>         remote {
>>             auth = psk
>>         }
>>         children {
>>             linuxHost {
>>                 esp_proposals = aes128-sha256-modp2048
>>                 mode = transport
>>             }
>>         }
>>         version = 2
>>         reauth_time = 10800
>>     }
>> }
>>
>> secrets {
>>     ike {
>>         secret = <psk>
>>     }
>> }
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220520/31b8a6bb/attachment-0001.html>


More information about the Users mailing list