On 1/5/2022 5:34 PM, Paul Wouters wrote:
On Tue, 4 Jan 2022, Mirsad Goran Todorovac wrote:
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
line I've found in options doesn't work well with libreswan 4.5 I'm
using. Perhaps someone should update the cookbooks on the
libreswan.org site?
I've updated the wiki page to no longer suggest the modp1024 old stuff
that is no longer supported per default.
Hi, Paul, that's awesome :-)
I have also removed the requirement for manual DNS configuration in the
Android client setup. Now it is sufficient to import the client cert and
set it as both the "IPSec user certificate" and "IPSec CA certificate".
If it doesn't seem obvious, I came across this setup by experimenting.
The culprit was the VPN gateway chosen as one of the DNS servers. The
configuration works better if something other than gateway is chosen as
server for DNS. (In our case, 10.0.0.101 for local addresses, and
8.8.8.8 as the secondary, so the people could see their DHCP assigned
machine IP addresses and FQDN hostnames when they attempt to connect via
VPN to their work computers as the road warriors.)
Perhaps I could write a tutorial on Android setup for libreswan if I
find the time? It seems pretty straightforward now that it's done ...
I think you could remove the requirement for strongswan for Android
client setup in the manual page
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 ,
as the native client appears to work a OK. (Just `authby=rsa-sha1` may
be added, for I understood neither the native client nor the strongswan
worked without it. Haven't tried the latter.)
Mirsad
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
