how to configure ipsec vpn over tcp port

[algoritmsystems]

how to configure ipsec vpn over tcp port

[hwdsl2]

@algoritmsystems Hello! Please refer to: #1302 and #1450.

[algoritmsystems]

Thanks!

[letoams]

If both ends are libreswan you can do it by enabling RFC 8229 support, see the client and server config in this test case: https://github.com/libreswan/libreswan/blob/main/testing/pluto/ikev2-tcp-01-listen-default/east.conf

basicslly add enable-tcp=yes in the connection and listen-tcp=yes in “config setup” on both ends.

You can use ikeport and tcp-remote-port for changing port although usually 4500 TCP works fine

[algoritmsystems]

Thanks @letoams, but it would be better if the script asked for the choice of transport during installation.

[letoams]

On Tue, 5 Mar 2024, algoritmsystems wrote: Thanks @letoams, but it would be better if the script asked for the choice of transport during installation.

I think at this point the script should probably: - add enable-tcp=yes to enable tcp on the server in all connections - add listen=tcp=yes to "config setup" And allow all connections to use TCP 4500. When using libreswan as a client, the connection should also have tcp-remoteport=4500. Paul

[algoritmsystems]

Yes! Also would be better to add a function to the script for choosing between IKE, L2TP and Xauth of CISCO

[letoams]

On Mar 6, 2024, at 06:14, algoritmsystems ***@***.***> wrote:  Yes! Also would be better to add a function to the script for choosing between IKE, L2TP and Xauth of CISCO

Honestly, at this point I think it’s valid to no longer support any IKEv1 based solution. New deployments shouldn’t use it. Clients supporting these do so in old/legacy mode. All modern platforms support IKEv2 now. Paul

[algoritmsystems]

Sure, I meant v2