'Re: [strongSwan] Strongswan Host-to-Host Connection Linux to Windows'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] Strongswan Host-to-Host Connection Linux to Windows
From:       IL Ka <kazakevichilya () gmail ! com>
Date:       2022-05-21 1:38:20
Message-ID: CAHv=rM17ktHsytU+fzDbUp+OTDWRSfH9m3byudzZ7GksUEkQTA () mail ! gmail ! com
[Download RAW message or body]

> 
> 
> Thanks all for the assistance; I got it figured out. PSK is only IKEv1, so
> I had to change the Linux config version to 1.
> 
I'd prefer IKEv2 whenever possible, but you are right: It doesn't support
PSK on Windows. Use certificates instead.
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2
 The only problem here is you need to add a certificate (or its CA) to the
"Trusted" store explicitly (unless you decide to use a certificate from a
well-known CA of course).

Certificates are more secure as a shared secret is a bad decision in any
case (I am against PSK for production except marginal cases like GRE+IPSec
in Mikrotik, and even there be sure to use long random string, not a
user-readable password)



> After that, I could see different errors with 'swanctl --log' stating the
> proposals didn't match.
> 
You can increase logging to see proposals list Windows sends to you:
https://docs.strongswan.org/docs/5.9/config/logging.html
Not sure if it works for ``swanctl --log``, but it definitely works for any
other logging system (syslog, journal etc)



> Windows doesn't support Diffie-Hellman on ESP proposals, so I just had to
> remove that from the Linux config:
> 
I am aware of the fact that Windows 7 doesn't support DH for CHILD_SA
(which I believe is only used for PFS), so you need to disable the DH group
(as you did).
It seems that Win10 still doesn't support it:(


[Attachment #3 (text/html)]

<div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br>Thanks all for the assistance; \
I got it figured out. PSK is only IKEv1, so I had to change the Linux config version \
to 1.</div></blockquote><div>I&#39;d prefer IKEv2 whenever possible, but you  are \
right: It doesn&#39;t support PSK on Windows. Use certificates instead.</div><div><a \
href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-fire \
wall/securing-end-to-end-ipsec-connections-by-using-ikev2">https://docs.microsoft.com/ \
en-us/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2<br></a></div><div>The \
only problem here is you  need to add a certificate (or its CA) to the \
&quot;Trusted&quot; store explicitly  (unless you  decide to use a certificate from a \
well-known CA of course).</div><div><br></div><div>Certificates are more secure as a \
shared secret is a bad decision in any case (I am against PSK for production except \
marginal cases like GRE+IPSec in Mikrotik, and even there be sure to use long random \
string, not a user-readable password)</div><div><br></div><div>  </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div> After that, I could see \
different errors with &#39;swanctl --log&#39; stating the proposals didn&#39;t match. \
</div></div></blockquote><div>You can increase logging to see proposals list Windows \
sends to you:</div><div><a \
href="https://docs.strongswan.org/docs/5.9/config/logging.html">https://docs.strongswan.org/docs/5.9/config/logging.html<br></a></div><div>Not \
sure if it works for ``swanctl --log``, but it definitely  works for any other \
logging system (syslog, journal etc)</div><div><br></div><div>  </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Windows doesn&#39;t support \
Diffie-Hellman on ESP proposals, so I just had to remove that from the Linux \
config:</div></div></blockquote><div>I am aware of the fact that Windows 7 \
doesn&#39;t support DH for CHILD_SA (which I believe is only used for PFS), so you \
need to disable the DH group (as you did).  </div><div>It seems that Win10 still \
doesn&#39;t support it:(</div><div><br></div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div class="gmail_quote"><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div><div><blockquote \
style="border-color:currentcolor currentcolor currentcolor \
rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium \
1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><blockquote \
style="border-color:currentcolor currentcolor currentcolor \
rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium \
1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div> </div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>

</blockquote></div>
</blockquote></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic