P.S.
If I am allowed, I could also assert that I have been positively
surprised by the positive change in speed with IKEv2 VPN: while IKEv1
L2TP over IPSec scored about 50 Mbps download on our server, the IKEv2
showed 138 Mbps in Ookla speedtest benchmark :) , over the Faculty's 1
Gbps link and my 150 Mbps home connection.
This is definitely usable, I can watch Internet TV without glitches,
save from the fact that IKEv2 connection would "die" and had to be
restarted. But it is now OK, thanks to the ms-dh-downgrade hack. I would
be happier if I didn't have to downgrade security for the link, but the
connection that would break after 15 minutes was useless for the
accounting programs.
Now I am thoroughly testing before entering production.
Kind regards,
Mirsad
On 1/5/2022 5:47 PM, Mirsad Goran Todorovac wrote:
On 1/5/2022 5:34 PM, Paul Wouters wrote:
On Tue, 4 Jan 2022, Mirsad Goran Todorovac wrote:
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
line I've found in options doesn't work well with libreswan 4.5 I'm
using. Perhaps someone should update the cookbooks on the
libreswan.org site?
I've updated the wiki page to no longer suggest the modp1024 old stuff
that is no longer supported per default.
Hi, Paul, that's awesome :-)
I have also removed the requirement for manual DNS configuration in
the Android client setup. Now it is sufficient to import the client
cert and set it as both the "IPSec user certificate" and "IPSec CA
certificate". If it doesn't seem obvious, I came across this setup by
experimenting.
The culprit was the VPN gateway chosen as one of the DNS servers. The
configuration works better if something other than gateway is chosen
as server for DNS. (In our case, 10.0.0.101 for local addresses, and
8.8.8.8 as the secondary, so the people could see their DHCP assigned
machine IP addresses and FQDN hostnames when they attempt to connect
via VPN to their work computers as the road warriors.)
Perhaps I could write a tutorial on Android setup for libreswan if I
find the time? It seems pretty straightforward now that it's done ...
I think you could remove the requirement for strongswan for Android
client setup in the manual page
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 ,
as the native client appears to work a OK. (Just `authby=rsa-sha1` may
be added, for I understood neither the native client nor the
strongswan worked without it. Haven't tried the latter.)
Mirsad
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
