[strongSwan] Strongswan Host-to-Host Connection Linux to Windows

IL Ka kazakevichilya at gmail.com
Sat May 21 03:38:20 CEST 2022

> Thanks all for the assistance; I got it figured out. PSK is only IKEv1, so
> I had to change the Linux config version to 1.
I'd prefer IKEv2 whenever possible, but you are right: It doesn't support
PSK on Windows. Use certificates instead.
The only problem here is you need to add a certificate (or its CA) to the
"Trusted" store explicitly (unless you decide to use a certificate from a
well-known CA of course).

Certificates are more secure as a shared secret is a bad decision in any
case (I am against PSK for production except marginal cases like GRE+IPSec
in Mikrotik, and even there be sure to use long random string, not a
user-readable password)

> After that, I could see different errors with 'swanctl --log' stating the
> proposals didn't match.
You can increase logging to see proposals list Windows sends to you:
Not sure if it works for ``swanctl --log``, but it definitely works for any
other logging system (syslog, journal etc)

> Windows doesn't support Diffie-Hellman on ESP proposals, so I just had to
> remove that from the Linux config:
I am aware of the fact that Windows 7 doesn't support DH for CHILD_SA
(which I believe is only used for PFS), so you need to disable the DH group
(as you did).
It seems that Win10 still doesn't support it:(
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220521/1beb7cf3/attachment.html>

More information about the Users mailing list