[strongSwan] Strongswan Host-to-Host Connection Linux to Windows

IL Ka kazakevichilya at gmail.com
Sat May 21 03:38:20 CEST 2022


>
>
> Thanks all for the assistance; I got it figured out. PSK is only IKEv1, so
> I had to change the Linux config version to 1.
>
I'd prefer IKEv2 whenever possible, but you are right: It doesn't support
PSK on Windows. Use certificates instead.
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2
The only problem here is you need to add a certificate (or its CA) to the
"Trusted" store explicitly (unless you decide to use a certificate from a
well-known CA of course).

Certificates are more secure as a shared secret is a bad decision in any
case (I am against PSK for production except marginal cases like GRE+IPSec
in Mikrotik, and even there be sure to use long random string, not a
user-readable password)



> After that, I could see different errors with 'swanctl --log' stating the
> proposals didn't match.
>
You can increase logging to see proposals list Windows sends to you:
https://docs.strongswan.org/docs/5.9/config/logging.html
Not sure if it works for ``swanctl --log``, but it definitely works for any
other logging system (syslog, journal etc)



> Windows doesn't support Diffie-Hellman on ESP proposals, so I just had to
> remove that from the Linux config:
>
I am aware of the fact that Windows 7 doesn't support DH for CHILD_SA
(which I believe is only used for PFS), so you need to disable the DH group
(as you did).
It seems that Win10 still doesn't support it:(
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220521/1beb7cf3/attachment.html>


More information about the Users mailing list