6

I'm using Strongswan to handle IPsec connections, and need a way to support both Windows (IKEv2) and OS X (IKEv1) clients. I would prefer to use pure IPsec (i.e. avoid having to setup L2TP) unless there's a compelling reason to use L2TP/IPsec.

I know you can configure Strongswan in ipsec.conf to have some connections use IKEv1 whereas some other connections use IKEv2. However, in my case I can't easily setup separate connection configurations for each user because the IP address that they'll connect from won't be known in advance. I just use a single connection configuration for all of our users.

Is it possible to have some users connect via an IKEv1 connection configuration and others via an IKEv2 connection configuration, or setup a single connection configuration that'll handle both IKEv1 and IKEv2 connections? If not, what would be the easiest way to support both Windows and OS X built-in IPsec clients (with Strongswan or some other IPsec package)?

Alex
  • 471
  • 7
  • 18

1 Answers1

3

Yes, you can do IKEv1 and IKEv2 simultaneously as long as you have both pluto and charon installed and the daemons running. Use this in your config setup:

charonstart=yes
plutostart=yes

And use the keyexchange parameters in your ipsec.conf's conn sections:

conn foo
  ...
  keyexchange=ikev2
  ...

conn bar
  ...
  keyexchange=ikev1
  ...
dawud
  • 14,918
  • 3
  • 41
  • 61
  • Thanks. I was aware of that. As stated in the question: _"I can't easily setup separate connection configurations for each user because the IP address that they'll connect from won't be known in advance."_ So how would I setup separate connection sections if I don't know the client's IP address in advance? In other words, how would Strongswan know which connection section to use for a new connection? I'm under the impression that a connection is selected _before_ IKE is used, is that correct? – Alex Sep 15 '13 at 00:05
  • 2
    @Alex Since the connection is made with IKE, either v1 or v2, strongSwan would have no problem selecting the right config. But in releases before 5.x the two daemons will use all configs as responder no matter what value has been set for keyexchange (i.e. that option has no effect for responders, it only affects initiators). Of course, not all configs will actually work with both protocol versions, so it could still be that a config is loaded only by one daemon. Anyway, in current releases (where there is only one IKE daemon) the protocol version is taken into account when selecting configs. – ecdsa Sep 16 '13 at 09:58
  • I just tested this and you're absolutely correct. Thanks! – Alex Sep 30 '13 at 21:30