StrongSwan connecting from Windows 10
The answer was in the certificate format for both the server and the client.
Windows requires the Hostname or IP Address to be listed in a san
, whilst OSX requires the Remote ID
to be in a san
, so you end up with a server certificate that looks like this
ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert /etc/swanctl/x509ca/server-root-ca.pem \
--cakey /etc/swanctl/private/server-root-key.pem \
--dn "C=GB, O=Self signed, CN=vpnserver" \
--san vpnserver \
--san dns:34.35.36.37 \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem
A similar story applies for the client certificate. With the swanctl configuration set as eap_id = %any
, StrongSwan requests the client for its identity. Windows returns the CN part of its certificate, whilst OSX returns the Local ID
, which means the certificate looks like this:
ipsec pki --pub --in vpn-$USER-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert /etc/swanctl/x509ca/server-root-ca.pem \
--cakey /etc/swanctl/private/server-root-key.pem \
--dn "C=GB, O=Self signed, CN=$USER" \
--san $USER \
--outform pem > vpn-$USER-cert.pem
In the configuration settings of Windows, you can tell it to use a different username and also what server to connect to, which I suspect will make it act the same as OSX, but by default, these are not selected.
Windows also authenticates the server which will give a warning of unknown server, which you can click 'continue' to or you can disable server authentication checking
from inside the Windows client VPN settings (not recommended).