История изменений
Исправление Spider55, (текущая версия) :
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
cachecrls=yes
uniqueids=never
#charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc2, lib 2"
conn %default
keyingtries=%forever
# enables IKE fragmentation
fragmentation=yes
dpdaction=clear
# dpdtimeout is not honored for ikev2. For IKEv2, every message is used
# to determine the timeout, so the generic timeout value for IKEv2 messages
# is used.
dpdtimeout=90s
dpddelay=30s
left=%any
right=%any
rightid=%any
rekey=no
conn l2tpvpn
auto=add
type=transport
keyingtries=1
keyexchange=ike
reauth=no
leftprotoport=udp/l2tp
rightprotoport=udp/%any
rightsubnet=%dynamic
#ike = aes256-sha2_384-modp1024, 3des-sha2_256-modp1024
ike=aes128-sha256-modp3072,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; macOS is 3DES, sha-1, modp1024
esp=aes128-sha256-modp3072,aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, macOS is 3des-shal1
mark=%unique
authby=secret
leftauth=psk
rightauth=psk
leftid=@my.server.host.name
conn ikev2vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
forceencaps=yes
dpddelay=300s
leftauth=pubkey
leftcert=my.server.host.name.cer
leftsendcert=always
leftsubnet=192.168.10.0/24
rightauth=eap-mschapv2
rightsourceip=%dhcp
rightsendcert=never
eap_identity=%identity
conn ikev2vpn-macos
also="ikev2vpn"
leftid=@my.server.host.name
#include /var/lib/strongswan/ipsec.conf.inc
Хочу заметить, что IKEv2 у меня получилось заставить работать с Let's Encrypt сертификатом. Работает ИЗЮМИТЕЛЬНО, но только с macOS :)))) с Windows отказывается работать. Оно издевается? :)
В отличии от L2TP вариант с IKEv2 даже более «изящен», он получает адреса с dhcp на ровне с локальной сетью. Это нравится прям. Но вот windows чё-то теперь не хочет.
PS. Лопачу форум с целью найти решение, и почти везде anc. Респект. Прям львиное терпение и самоотдача.
Исправление Spider55, :
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
cachecrls=yes
uniqueids=never
#charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc2, lib 2"
conn %default
keyingtries=%forever
# enables IKE fragmentation
fragmentation=yes
dpdaction=clear
# dpdtimeout is not honored for ikev2. For IKEv2, every message is used
# to determine the timeout, so the generic timeout value for IKEv2 messages
# is used.
dpdtimeout=90s
dpddelay=30s
left=%any
right=%any
rightid=%any
rekey=no
conn l2tpvpn
auto=add
type=transport
keyingtries=1
keyexchange=ike
reauth=no
leftprotoport=udp/l2tp
rightprotoport=udp/%any
rightsubnet=%dynamic
#ike = aes256-sha2_384-modp1024, 3des-sha2_256-modp1024
ike=aes128-sha256-modp3072,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; macOS is 3DES, sha-1, modp1024
esp=aes128-sha256-modp3072,aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, macOS is 3des-shal1
mark=%unique
authby=secret
leftauth=psk
rightauth=psk
leftid=@my.server.host.name
conn ikev2vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
forceencaps=yes
dpddelay=300s
leftauth=pubkey
leftcert=my.server.host.name.cer
leftsendcert=always
leftsubnet=192.168.10.0/24
rightauth=eap-mschapv2
rightsourceip=%dhcp
rightsendcert=never
eap_identity=%identity
conn ikev2vpn-macos
also="ikev2vpn"
leftid=@my.server.host.name
#include /var/lib/strongswan/ipsec.conf.inc
Хочу заметить, что IKEv2 у меня получилось заставить работать с Let's Encrypt сертификатом. Работает ИЗЮМИТЕЛЬНО, но только с macOS :)))) с Windows отказывается работать. Оно издевается? :)
В отличии от L2TP вариант с IKEv2 даже более «изящен», он получает адреса с dhcp на ровне с локальной сетью. Это нравится прям. Но вот windows чё-то теперь не хочет.
Исправление Spider55, :
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
cachecrls=yes
uniqueids=never
#charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc2, lib 2"
conn %default
keyingtries=%forever
# enables IKE fragmentation
fragmentation=yes
dpdaction=clear
# dpdtimeout is not honored for ikev2. For IKEv2, every message is used
# to determine the timeout, so the generic timeout value for IKEv2 messages
# is used.
dpdtimeout=90s
dpddelay=30s
left=%any
right=%any
rightid=%any
rekey=no
conn l2tpvpn
auto=add
type=transport
keyingtries=1
keyexchange=ike
reauth=no
leftprotoport=udp/l2tp
rightprotoport=udp/%any
rightsubnet=%dynamic
#ike = aes256-sha2_384-modp1024, 3des-sha2_256-modp1024
ike=aes128-sha256-modp3072,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; macOS is 3DES, sha-1, modp1024
esp=aes128-sha256-modp3072,aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, macOS is 3des-shal1
mark=%unique
authby=secret
leftauth=psk
rightauth=psk
leftid=@my.server.host.name
conn ikev2vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
forceencaps=yes
dpddelay=300s
leftauth=pubkey
leftcert=my.server.host.name.cer
leftsendcert=always
leftsubnet=192.168.10.0/24
rightauth=eap-mschapv2
rightsourceip=%dhcp
rightsendcert=never
eap_identity=%identity
conn ikev2vpn-macos
also="ikev2vpn"
leftid=@my.server.host.name
#include /var/lib/strongswan/ipsec.conf.inc
Хочу заметить, что IKEv2 у меня получилось заставить работать с Let's Encrypt сертификатом. Работает ИЗЮМИТЕЛЬНО, но только с macOS :)))) с Windows отказывается работать. Оно издевается? :)
Исходная версия Spider55, :
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
cachecrls=yes
uniqueids=never
#charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc2, lib 2"
conn %default
keyingtries=%forever
# enables IKE fragmentation
fragmentation=yes
dpdaction=clear
# dpdtimeout is not honored for ikev2. For IKEv2, every message is used
# to determine the timeout, so the generic timeout value for IKEv2 messages
# is used.
dpdtimeout=90s
dpddelay=30s
left=%any
right=%any
rightid=%any
rekey=no
conn l2tpvpn
auto=add
type=transport
keyingtries=1
keyexchange=ike
reauth=no
leftprotoport=udp/l2tp
rightprotoport=udp/%any
rightsubnet=%dynamic
#ike = aes256-sha2_384-modp1024, 3des-sha2_256-modp1024
ike=aes128-sha256-modp3072,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; macOS is 3DES, sha-1, modp1024
esp=aes128-sha256-modp3072,aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, macOS is 3des-shal1
mark=%unique
authby=secret
leftauth=psk
rightauth=psk
leftid=@my.server.host.name
conn ikev2vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
forceencaps=yes
dpddelay=300s
leftauth=pubkey
leftcert=my.server.host.name.cer
leftsendcert=always
leftsubnet=192.168.10.0/24
rightauth=eap-mschapv2
rightsourceip=%dhcp
rightsendcert=never
eap_identity=%identity
conn ikev2vpn-macos
also="ikev2vpn"
leftid=@my.server.host.name
#include /var/lib/strongswan/ipsec.conf.inc