I’m trying to connect my nixos laptop to a remote vpn hosted by a fritzbox running fritz os 7.
This means it’s IKEv1 with a short preshared key which can not be changed.
I tried using networkmanager (with the strongswan plugin), but the cli as well as the applet won’t let me configure a connection with a psk shorter than 20 characters.
Is there any way to configure an ipsec client on nixos that can work under these conditions?
I looked at strongswan/swanctl documentation and configuration examples but it’s really overwhelming me with my little knowledge about vpn stuff.
Any help is very much appreciated
StrongSwan is overwhelming indeed. Trust me, I’ve been there. There are many knobs to turn.
I would suggest studying the
strongswan-swanctl NixOS test and see how to adapt it to your situation.
In your case:
moon is your fritzbox.
carol is your nixos laptop.
alice is some device behind your fritzbox that you want to acces from your laptop.
What to adapt?
- You should copy the configuration of
- I think you can remove the
remote_addrs to the public IP of your fritzbox.
local."main".id to your IKE identity (i.e. your username used for authentication).
secrets.ike."moon".id."main" to something like
"fritzbox". It doesn’t really matter what you set this to as long as the
id in the
remote section is the same as the
id in the
secret section so that they’re associated and strongswan knows which secret to send to the remote. You may also rename
"moon" to something more appropriate like also
remote_ts to the subnet of your VPN.
- Either remove
proposals or set them to what is required by your fritzbox.
version from 2 to 1 for IKEv1.
secret to your PSK.
Check the documentation of
swanctl.conf for descriptions on all these options.
Thank you Bas, for your detailed answer! I didn’t even think of looking at the tests. Alas, i still haven’t solved my problem - i forgot to write that the fritz box does not only use a preshared key but also a password alongside the username.
The setup guide for android says to configure “xauth” authentication. I tried adapting the “ikev1-psk-xauth” “Initiator” example from Usable Examples configurations - strongSwan but I don’t understand how to correctly configure IDs and secrets. Also I never seem to get any helpful log output in the swanctl systemd unit.
As another approach I took a second look at network manager and noticed the strongswan plugin I was trying to use does not even support ikev1 so I started packaging the networkmanager-libreswan plugin.
It already compiles and shows up in my connection settings but does not start the libreswan service yet.