[strongSwan] Windows IKE and PFS settings

2020-01-14 Thread Victor Sudakov
Dear Colleagues, I'm setting up a transport mode IPSec connection between FreeBSD and Windows (10 and 2016). In the Windows IPSec GPO, there are two options (knobs) for PFS: 1. "Master key PFS" in IKE settings: http://admin.sibptus.ru/~vas/pfs_ike.jpg 2. "Use session key PFS" in ESP settings: h

Re: [strongSwan] IKEv2 and MacOS roadwarrior

2020-01-14 Thread Tobias Brunner
Hi, > How I can change leftid for strongswan? It always CN=123.123.123.123 no > matter what I configure in ipsec.conf, even leftid=%any doesn't work. You need to include that IP address (or alternatively a hostname) as subjectAltName extension in the certificate. Regards, Tobias

Re: [strongSwan] IPtables settings

2020-01-14 Thread Felipe Arturo Polanco
Those settings look good, please send this output: $ sysctl -a | grep -e "forwarding" On Tue, Jan 14, 2020 at 4:08 AM cristi...@newro.co wrote: > Hi. > > Please, can anyone give some advices? > > Thank you! > On 1/13/20 4:41 PM, cristi...@newro.co wrote: > > /etc/ipsec.conf > > # basic configur

Re: [strongSwan] IKEv2 and MacOS roadwarrior

2020-01-14 Thread korsar...@gmail.com
How I can change leftid for strongswan? It always CN=123.123.123.123 no matter what I configure in ipsec.conf, even leftid=%any doesn't work. swanctl -L: IKEv2-tunnel: IKEv2, no reauthentication, no rekeying, dpd delay 30s local: 123.123.123.123 remote: %any local public key authenticat

Re: [strongSwan] IKEv2 and MacOS roadwarrior

2020-01-14 Thread Tobias Brunner
Hi, > When I'm trying to connect from MacOS 10.15 I get an error: Apparently, it's still not possible to use DNs as identities with Apple clients, see [1]. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Known-Issues

Re: [strongSwan] IKEv2 and MacOS roadwarrior

2020-01-14 Thread korsar...@gmail.com
Sorry, wrong IP, log says charon: 06[CFG] looking for peer configs matching 123.123.123.123[CN=123.123.123.123]...192.168.0.232[192.168.0.232] charon: 06[CFG] no matching peer config found korsar...@gmail.com писал(а) в своём письме Tue, 14 Jan 2020 16:55:34 +0200: Hi, my strongswan conf

[strongSwan] IKEv2 and MacOS roadwarrior

2020-01-14 Thread korsar...@gmail.com
Hi, my strongswan config leftid="CN=123.123.123.123" leftauth=pubkey leftcert=123.123.123.123.crt leftsendcert=always right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.71.0.0/16 rightsendcert=never type=tunnel When I'

Re: [strongSwan] IPtables settings

2020-01-14 Thread cristi...@newro.co
Hi. Please, can anyone give some advices? Thank you! On 1/13/20 4:41 PM, cristi...@newro.co wrote: /etc/ipsec.conf # basic configuration config setup     charondebug="all"     uniqueids=yes     strictcrlpolicy=no # connection 1 conn site1-to-site2   authby=secret   left=%default