On Thu, 29 Feb 2024, Marc via Swan wrote:
Where can I find a working and tested config, that offers vpn connectivity
with the os default clients of android, win10, win11, macos and ios? (maybe
put this on some wiki/example page)
Not sure there is one as the variations in systems are almost infinite.
Who cares about infite variations? Just pick the most common.
That changes every Mac and Windows and Android release :P
This is probably one that should support most:
ike=aes256-sha2_256;modp2048,aes128-sha2_256;modp2048
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2_256,aes128-sha2_256,aes128-sha1
If you need old old windows stuff you might need to also allow modp1024
(which likely requires manually recompiling libreswan because we disable
it by default because it is too weak)
ike=aes256-sha2_256;modp2048,aes128-sha2_256;modp2048,aes256-sha2;modp1024,aes128-sha1;modp1024
If this were my project I would at least offer a turn key solution for what I
assume is the most common application of a vpn server with different clients
and check such solutions every period/year if they are still valid. You all
have the expertise to find much quicker a common denominator for such setup,
than some rookie user. Even knowing up front whether or not such a
heterogeneous environment is possible, would save already a lot of time.
Since usually this means running things that are 10+ years old, that is
really hard to sustain for a small group of developers. We do provide
the basic common deployment configurations at:
https://libreswan.org/wiki/Configuration_examples
And we have 1218 test cases with configuration examples in git:
https://github.com/libreswan/libreswan/tree/main/testing/pluto
Usually the test names there tell you kind of what the test is about.
Is it really so weird to expect to find here a (roadwarrior) solution that fits
most common clients? Maintaining on these clients as much as possible default
setup.
See above. You seem to think your case is broad and simple, but there
are another 100 people with different networks, clients, OSes, servers,
firewalls, and oddnesses. It would be a full FTE to work on fancy
updated examples for the most common use cases.
Note also that basically no one comes back to us to tell us that they
got things working, let alone share configurations and screenshots of
their working solutions. We are happy to receive these or give you wiki
access once you have it working. But more likely, once you have it
working, you won't send another email here.
Anyway, documentations, wiki edits or financial contributions to support
libreswan are always appreciated.
I have attached the ipsec.conf of vpn.nohats.ca that works with some
Windows, Mac, iphones and android.
Paul
ps. note that aiming your frustrations at opensource developers is
never a good idea. Neither is telling us what you expect us to do
without paying us for our time and effort while getting the software
and some mailing list support for free.
conn vpn4
left=193.110.157.148
also=vpn-base
conn vpn6
left=2a03:6000:1004:1::148
also=vpn-base
conn vpn-base
authby=rsa-sha2,rsa-sha1
ikev2=insist
# support Apple and Windows
#ike=aes256-sha2_256;modp2048,aes128-sha2_256;modp2048,aes256-sha2;modp1024,aes128-sha1;modp1024
#esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2_256,aes128-sha2_256,aes128-sha1
# regular up to date clients
ike=aes256-sha2_256;modp2048,aes128-sha2_256;modp2048
auto=add
rekey=no
leftcert=vpn.nohats.ca
leftsendcert=always
leftid=@vpn.nohats.ca
# v4+v6 requires libreswan 5.x
# leftsubnet=0.0.0.0/0,::/0
# rightaddresspool=100.64.13.0/24,2a03:6000:1005::/97
#
leftsubnet=0.0.0.0/0
rightaddresspool=100.64.13.0/24
right=%any
rightid=%fromcert
rightca=%same
# address of your internal DNS server
modecfgdns="193.110.157.123"
modecfgdomains="nohats.ca,libreswan.org"
modecfgpull=yes
mobike=yes
salifetime=16h
ikelifetime=24h
narrowing=yes
require-id-on-certificate=no
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
