####################################################################### # This is a starter strongSwan /etc/swanctl/conf.d/ file for # interoperability with Windows IPsec. The test machines must # both be on the 10.0.0.0/8 network. The quick mode traffic # selector is only for ICMP, i.e., for ping. It only uses # IKEv1 with a pre-shared key of "P@ssword". # # On Windows, the main mode settings must be: # Integrity: SHA-256 # Encryption: AES-CBC 256 # Key Exchange: Diffie-Hellman Group 14 # # On Windows, the ESP quick mode settings must be: # Encryption: AES-GCM 256 # Integrity: AES-GMAC 256 # # On Windows, configure the machine-wide default auth to be: # Pre-Shared Key: P@ssword # # On Windows, set the authentication method in the IPsec connection # security rule to Default. Do not customize the auth settings in any # IPsec rules, only configure auth settings in the properties of the # firewall snap-in itself, i.e., only use machine-wide auth settings. # # With IKEv1, each remote_ts or local_ts may have only a single selector. # If multiple selectors are needed, multiple children{} must be added. # Also, every remote_ts and local_ts line must include a [protocol] of # some type or else Windows will reject the connection. ####################################################################### connections { conn1 { remote_addrs = 10.0.0.0/8 version = 1 proposals = aes256-sha256-modp2048 local { auth = psk } remote { auth = psk } children { icmponly { remote_ts = 10.0.0.0/8[icmp] local_ts = 10.0.0.0/8[icmp] mode = transport esp_proposals = aes256gcm16-aes256gmac start_action = trap } } } } secrets { ike { secret = "P@ssword" } }