Join Log in
Score:1
noone392 avatar Server

strongswan site to host example?

mv flag
noone392

There are a million site-to-site and host-to-host examples. I can't seem to find a single site-to-host example. I am looking for the most basic possible example with no certificates at all, that just listens and accepts with a simple username and password from any ipaddress, one that will work with the built-in windows client.

EDIT: When I try the roadwarrior examples it just says my username or password is incorrect in windows

/etc/ipsec.secrets:

: PSK "mypassword"

/etc/ipsec.conf:

conn rw
    leftsubnet=192.168.0.0/16
    leftcert=moonCert.pem
    right=%any
    authby=psk
    auto=add

I get the following error

12[IKE] peer requested EAP, config unacceptable
12[CFG] no alternative config found
12[IKE] peer supports MOBIKE
12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

when I try to connect in windows and just provide the password with no username.

Any thoughts on how to correct the authentication issue?

Edit 2:

With the following config 
leftsubnet=x.x.0.0/16
left=x.x.x.x
right=%any
leftauth=pubkey
rightauth=eap-mschapv2
eap_identity=%identity
auto=add

and ipsec.secrets

user : EAP "password"

I get the following error

[CFG] selected peer config 'rw'
[IKE] initiating EAP_IDENTITY method (id 0x00)
[IKE] peer supports MOBIKE
[IKE] no private key found for '192.168.254.137'
[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
75
0 + 5
cn flag
ecdsa
You're joking, right? I mean, you really haven't found any of the many, many remote-access (roadwarrior) example configs?
0
Reply
noone392 avatar
mv flag
noone392
ahh ok I didn't realize those were site to host, I thought those were host to host. when I try all of those windows just says my username or password is incorrect
0
Reply
drookie avatar
za flag
drookie
Site-to-site fully applies to your question. No jokes.
0
Reply
cn flag
ecdsa
You configured `authby=psk`. What you want instead is `rightauth=eap-mschapv2` and `leftauth=pubkey`. Windows also requires `eap_identity=%identity`.
0
Reply
noone392 avatar
mv flag
noone392
updated config per your segestion added to edits. Looks like it made it a lot further. I am trying to avoid actually generating a key pair that I have to share with the client so this can remain simple. I don't care about security at all for this particular use case
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.