I'm using Strongswan to handle IPsec connections, and need a way to support both Windows (IKEv2) and OS X (IKEv1) clients. I would prefer to use pure IPsec (i.e. avoid having to setup L2TP) unless there's a compelling reason to use L2TP/IPsec.
I know you can configure Strongswan in ipsec.conf to have some connections use IKEv1 whereas some other connections use IKEv2. However, in my case I can't easily setup separate connection configurations for each user because the IP address that they'll connect from won't be known in advance. I just use a single connection configuration for all of our users.
Is it possible to have some users connect via an IKEv1 connection configuration and others via an IKEv2 connection configuration, or setup a single connection configuration that'll handle both IKEv1 and IKEv2 connections? If not, what would be the easiest way to support both Windows and OS X built-in IPsec clients (with Strongswan or some other IPsec package)?
Yes, you can do IKEv1 and IKEv2 simultaneously as long as you have both
pluto
andcharon
installed and the daemons running. Use this in your config setup:And use the
keyexchange
parameters in youripsec.conf
'sconn
sections: