strongswan: working ipsec.conf?

John Connett

New Member
Does anyone have a strongswan ipsec.conf file that works with Perfect Privacy that they are willing to share?

My longer term aim is to use strongswan on an OpenWrt router. As an intermediate step I am trying to use strongswan from behind that router. I already have Windows 10 Enterprise systems using VPN Manager with IPsec running successfully behind that router.

I have used the ipsec.conf for carol from the strongswan "Test ikev2/rw-eap-mschapv2-id-rsa" as a starting point and am attempting to use this:
Code:
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn perfect-privacy
    left=192.168.1.23
    leftfirewall=yes
    leftauth=eap
    eap_identity=carol
    right=london.perfect-privacy.com
    rightauth=pubkey
    rightid="C=CH, ST=Zug, O=Perfect Privacy, CN=Server_london.perfect-privacy.com"
    rightsubnet=%any
    auto=add
Note that I have substituted "carol" with my actual Perfect Privacy username and used that and my password in /etc/ipsec.secrets. I also changed "left" to the IPv4 address of the particular Linx system.

I have tried this with two differrent Linux systems:

  1. Ubuntu 16.10 (Yakkety Yax) / strongswan 5.3.5-1
  2. openSUSE Tumbleweed (VERSION="20161226) / strongswan 5.3.5-1.1
Both fail with "IKE_AUTH response 1 [ N(AUTH_FAILED) ]" ...

Any suggestions as to what I am doing wrong?
 

John Connett

New Member
Had a look with Microsoft Message Analyzer at the traffic for a working Windows 10 Enterprise connection. The connection was established with:
  1. Encryption Algorithm - ENCR_AES_CBC (256 bits)
  2. Integrity Algorithm - AUTH_HMAC_SHA2_256_128
  3. Pseudorandom Function - PRF_HMAC_SHA2_256
  4. Diffie-Hellman Group - 1024-bit MODP Group
Added this to /etc/ipsec.conf to make this the only proposal:
Code:
    ike=aes256-sha256-prfsha256-modp1024!
    esp=aes256-sha256-prfsha256-modp1024!
Still fails with "IKE_AUTH response 1 [ N(AUTH_FAILED) ]" ...
 

John Connett

New Member
This /etc/ipsec.conf file mostly works:
Code:
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn perfect-privacy
    ike=aes256-sha256-prfsha256-modp1024!
    esp=aes256-sha256-esn-noesn!
    left=%any
    leftsourceip=%config
    leftauth=eap
    eap_identity=carol
    right=london.perfect-privacy.com
    rightauth=pubkey
    rightsubnet=0.0.0.0/0,::/0
    auto=add
Using it to access https://www.perfect-privacy.com/check-ip/ gives similar results to VPN Manager on Windows 10 Enterprise, except for You do not seem to have IPv6 connectivity.

This configuration can probably be improved! Constructive criticism would be much appreciated, especially if you have more experience with strongswan.

It would also be useful to know details of the VPN configuration used by VPN Manager on Windows. I found some details using the Get-VpnConnection PowerShell cmdlet:
Code:
PS C:\> Get-VpnConnection -Name "Perfect Privacy VPN" -AllUserConnection

Name                  : Perfect Privacy VPN
ServerAddress         : 82.199.130.34
AllUserConnection     : True
Guid                  : {11111111-2222-3333-4444-555555555555}
TunnelType            : Ikev2
AuthenticationMethod  : {Eap}
EncryptionLevel       : Maximum
L2tpIPsecAuth         :
UseWinlogonCredential : False
EapConfigXmlStream    : #document
ConnectionStatus      : Disconnected
RememberCredential    : False
SplitTunneling        : False
DnsSuffix             :
IdleDisconnectSeconds : 86400

PS C:\>
However, I haven't yet found a way to find the rest of the details.
 

John Connett

New Member
Latest version. This appears to work for IPv6 as well.
Code:
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn perfect-privacy
    ike=aes256-sha256-prfsha256-modp1024!
    esp=aes256-sha256-esn-noesn!
    left=%any
    leftsourceip=%config4,%config6
    leftauth=eap
    eap_identity=carol
    right=london.perfect-privacy.com
    rightauth=pubkey
    rightsubnet=0.0.0.0/0,::/0
    auto=add
 
Top