Dear Colleagues,
I'm setting up a transport mode IPSec connection between FreeBSD and
Windows (10 and 2016). In the Windows IPSec GPO, there are two options
(knobs) for PFS:
1. "Master key PFS" in IKE settings: http://admin.sibptus.ru/~vas/pfs_ike.jpg
2. "Use session key PFS" in ESP settings:
h
Hi,
> How I can change leftid for strongswan? It always CN=123.123.123.123 no
> matter what I configure in ipsec.conf, even leftid=%any doesn't work.
You need to include that IP address (or alternatively a hostname) as
subjectAltName extension in the certificate.
Regards,
Tobias
Those settings look good, please send this output:
$ sysctl -a | grep -e "forwarding"
On Tue, Jan 14, 2020 at 4:08 AM cristi...@newro.co
wrote:
> Hi.
>
> Please, can anyone give some advices?
>
> Thank you!
> On 1/13/20 4:41 PM, cristi...@newro.co wrote:
>
> /etc/ipsec.conf
>
> # basic configur
How I can change leftid for strongswan? It always CN=123.123.123.123 no
matter what I configure in ipsec.conf, even leftid=%any doesn't work.
swanctl -L:
IKEv2-tunnel: IKEv2, no reauthentication, no rekeying, dpd delay 30s
local: 123.123.123.123
remote: %any
local public key authenticat
Hi,
> When I'm trying to connect from MacOS 10.15 I get an error:
Apparently, it's still not possible to use DNs as identities with Apple
clients, see [1].
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Known-Issues
Sorry, wrong IP, log says
charon: 06[CFG] looking for peer configs matching
123.123.123.123[CN=123.123.123.123]...192.168.0.232[192.168.0.232]
charon: 06[CFG] no matching peer config found
korsar...@gmail.com писал(а) в своём письме Tue, 14
Jan 2020 16:55:34 +0200:
Hi,
my strongswan conf
Hi,
my strongswan config
leftid="CN=123.123.123.123"
leftauth=pubkey
leftcert=123.123.123.123.crt
leftsendcert=always
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.71.0.0/16
rightsendcert=never
type=tunnel
When I'
Hi.
Please, can anyone give some advices?
Thank you!
On 1/13/20 4:41 PM, cristi...@newro.co wrote:
/etc/ipsec.conf
# basic configuration
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
# connection 1
conn site1-to-site2
authby=secret
left=%default