Hi Paul, Thanks for the quick response.
> On Fri, 18 Jun 2021, Mason Wardle wrote: > > > If it's any help, here is the configuration of strongswan that allows > Windows connection without registry modification. Based on > > these settings, I tried playing around with "encapsulation", > "nat-ikev1-method", "fragmentation", and "compress" settings: > > Are you sure that is what is happening? The windows registry setting is > all about windows allowing encapsulation even if detected it was not > behind a NAT. That's nothing really different on the server. > > The registry change is really the only thing I modified. My VPN configuration was saved and I just selected it and clicked "Connect". On the server side, I just verified my current ipsec.conf settings and they still match what I posted and I retested. I couldn't connect without the registry mod but I could with the mod. > > ipsec.conf: > > > forceencaps=no > > Right, it does need to force encaps, because the server is behind NAT, so > both > ends will detect it and use proper encapsulation. This is also the > libreswan default. > > I did a quick test without the registry mod but deleting "encapsulation=yes" to let libreswan do the default. No change in results. I'm confused why strongswan and libreswan would act differently. I > suspect there might be a difference in your testing parameters, or > the windows registry did/didnt (un)do properly ? > > I'm a little greener here so I am not sure of the mapping from strongswan to libreswan configuration parameters but from what I can tell, all the important pieces are configured the same. -Mason
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
