strongSwan User Documentation » History » Version 23
Version 22 (Martin Willi, 29.09.2007 09:34) → Version 23/184 (Martin Willi, 29.09.2007 09:40)
= strongSwan User Documentation =
== Features ==
* [wiki:VirtualIp Virtual IP] via mode-config (IKEv1) or configuration payload (IKEv2)
* [wiki:NatTraversal NAT Traversal]
* [wiki:MobIke MOBIKE]
== Configuration ==
* [wiki:IpsecConf ipsec.conf] file
* [wiki:IpsecSecrets ipsec.secrets] file
* [wiki:IpsecDirectory ipsec.d] directory
* [http://www.strongswan.org/docs/readme.htm Configuration HOWTO]
== Configuration Examples ==
Dozens of both simple and advanced VPN scenarios:
* [http://www.strongswan.org/uml/testresults4/ikev1 IKEv1] examples
* [http://www.strongswan.org/uml/testresults4/ikev2 IKEv2] examples
* [http://www.strongswan.org/uml/testresults4/ipv6 IPv6] examples
== Management Commands ==
* The powerful [wiki:IpsecCommand ipsec] command starts, stops and monitors IPsec connections.
== Auxiliary Tools ==
* ipsec [wiki:OpenAc openac] generates ''X.509 attribute certificates''
* ipsec [wiki:ScepClient scepclient] implements the ''Simple Certificate Enrollment Protocol (SCEP)''
* ipsec [wiki:IpsecStarter starter] starts, stops, and configures the IKE daemons
* ipsec [wiki:IpsecStroke] controls the IKEv2 charon daemon
* ipsec [wiki:IpsecWhack] controls the IKEv1 pluto daemon
== Interoperability ==
* [wiki:WindowsVista Windows Vista]
== Frequently Asked Questions ==
* A [wiki:FAQ] is maintained [wiki:FAQ here].
'''Q:''' ''I'm trying to set up a VPN tunnel with a ZyXELL/Linksys/X router but the other side keeps on telling me "no proposal chosen" when strongSwan initiates the connection.''
'''A:''' Make sure that the peer supports all the algorithms (including the key lengths) which strongSwan proposes for IKE and ESP. In terms of IKE, the proposal consists of the following parts: Encryption algorithm, hash algorithm (PRF) and DH group. In terms of ESP the proposal includes the following: Encryption algorithm, hash algorithm, pfs group (DH group) and '''compression algorithm'''. There are lots of IPSec implementations out there that do '''not''' support compression or have implemented it erronously. So the first thing to try in this situation is to switch compression off on the peer. strongSwan's default setting is
{{{
compress=no
}}}
See also Chapter [http://www.strongswan.org/docs/readme4.htm#section_14.1 14.1 Authentication and encryption algorithms] of the strongSwan documentation. It has good information about the relevant parameters.
== Features ==
* [wiki:VirtualIp Virtual IP] via mode-config (IKEv1) or configuration payload (IKEv2)
* [wiki:NatTraversal NAT Traversal]
* [wiki:MobIke MOBIKE]
== Configuration ==
* [wiki:IpsecConf ipsec.conf] file
* [wiki:IpsecSecrets ipsec.secrets] file
* [wiki:IpsecDirectory ipsec.d] directory
* [http://www.strongswan.org/docs/readme.htm Configuration HOWTO]
== Configuration Examples ==
Dozens of both simple and advanced VPN scenarios:
* [http://www.strongswan.org/uml/testresults4/ikev1 IKEv1] examples
* [http://www.strongswan.org/uml/testresults4/ikev2 IKEv2] examples
* [http://www.strongswan.org/uml/testresults4/ipv6 IPv6] examples
== Management Commands ==
* The powerful [wiki:IpsecCommand ipsec] command starts, stops and monitors IPsec connections.
== Auxiliary Tools ==
* ipsec [wiki:OpenAc openac] generates ''X.509 attribute certificates''
* ipsec [wiki:ScepClient scepclient] implements the ''Simple Certificate Enrollment Protocol (SCEP)''
* ipsec [wiki:IpsecStarter starter] starts, stops, and configures the IKE daemons
* ipsec [wiki:IpsecStroke] controls the IKEv2 charon daemon
* ipsec [wiki:IpsecWhack] controls the IKEv1 pluto daemon
== Interoperability ==
* [wiki:WindowsVista Windows Vista]
== Frequently Asked Questions ==
* A [wiki:FAQ] is maintained [wiki:FAQ here].
'''Q:''' ''I'm trying to set up a VPN tunnel with a ZyXELL/Linksys/X router but the other side keeps on telling me "no proposal chosen" when strongSwan initiates the connection.''
'''A:''' Make sure that the peer supports all the algorithms (including the key lengths) which strongSwan proposes for IKE and ESP. In terms of IKE, the proposal consists of the following parts: Encryption algorithm, hash algorithm (PRF) and DH group. In terms of ESP the proposal includes the following: Encryption algorithm, hash algorithm, pfs group (DH group) and '''compression algorithm'''. There are lots of IPSec implementations out there that do '''not''' support compression or have implemented it erronously. So the first thing to try in this situation is to switch compression off on the peer. strongSwan's default setting is
{{{
compress=no
}}}
See also Chapter [http://www.strongswan.org/docs/readme4.htm#section_14.1 14.1 Authentication and encryption algorithms] of the strongSwan documentation. It has good information about the relevant parameters.