[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Strongswan Host-to-Host Connection Linux to Windows
From: IL Ka <kazakevichilya () gmail ! com>
Date: 2022-05-21 1:38:20
Message-ID: CAHv=rM17ktHsytU+fzDbUp+OTDWRSfH9m3byudzZ7GksUEkQTA () mail ! gmail ! com
[Download RAW message or body]
>
>
> Thanks all for the assistance; I got it figured out. PSK is only IKEv1, so
> I had to change the Linux config version to 1.
>
I'd prefer IKEv2 whenever possible, but you are right: It doesn't support
PSK on Windows. Use certificates instead.
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2
The only problem here is you need to add a certificate (or its CA) to the
"Trusted" store explicitly (unless you decide to use a certificate from a
well-known CA of course).
Certificates are more secure as a shared secret is a bad decision in any
case (I am against PSK for production except marginal cases like GRE+IPSec
in Mikrotik, and even there be sure to use long random string, not a
user-readable password)
> After that, I could see different errors with 'swanctl --log' stating the
> proposals didn't match.
>
You can increase logging to see proposals list Windows sends to you:
https://docs.strongswan.org/docs/5.9/config/logging.html
Not sure if it works for ``swanctl --log``, but it definitely works for any
other logging system (syslog, journal etc)
> Windows doesn't support Diffie-Hellman on ESP proposals, so I just had to
> remove that from the Linux config:
>
I am aware of the fact that Windows 7 doesn't support DH for CHILD_SA
(which I believe is only used for PFS), so you need to disable the DH group
(as you did).
It seems that Win10 still doesn't support it:(
[Attachment #3 (text/html)]
<div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br>Thanks all for the assistance; \
I got it figured out. PSK is only IKEv1, so I had to change the Linux config version \
to 1.</div></blockquote><div>I'd prefer IKEv2 whenever possible, but you are \
right: It doesn't support PSK on Windows. Use certificates instead.</div><div><a \
href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-fire \
wall/securing-end-to-end-ipsec-connections-by-using-ikev2">https://docs.microsoft.com/ \
en-us/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2<br></a></div><div>The \
only problem here is you need to add a certificate (or its CA) to the \
"Trusted" store explicitly (unless you decide to use a certificate from a \
well-known CA of course).</div><div><br></div><div>Certificates are more secure as a \
shared secret is a bad decision in any case (I am against PSK for production except \
marginal cases like GRE+IPSec in Mikrotik, and even there be sure to use long random \
string, not a user-readable password)</div><div><br></div><div> </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div> After that, I could see \
different errors with 'swanctl --log' stating the proposals didn't match. \
</div></div></blockquote><div>You can increase logging to see proposals list Windows \
sends to you:</div><div><a \
href="https://docs.strongswan.org/docs/5.9/config/logging.html">https://docs.strongswan.org/docs/5.9/config/logging.html<br></a></div><div>Not \
sure if it works for ``swanctl --log``, but it definitely works for any other \
logging system (syslog, journal etc)</div><div><br></div><div> </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Windows doesn't support \
Diffie-Hellman on ESP proposals, so I just had to remove that from the Linux \
config:</div></div></blockquote><div>I am aware of the fact that Windows 7 \
doesn't support DH for CHILD_SA (which I believe is only used for PFS), so you \
need to disable the DH group (as you did). </div><div>It seems that Win10 still \
doesn't support it:(</div><div><br></div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div class="gmail_quote"><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div><div><blockquote \
style="border-color:currentcolor currentcolor currentcolor \
rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium \
1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><blockquote \
style="border-color:currentcolor currentcolor currentcolor \
rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium \
1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div> </div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote></div>
</blockquote></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic