>> There are ways to make even Windows clients use actual crypto with IPsec if >> needed, though last I checked it could not be done from the GUI but required >> powershell commands. (I don't have a URL handy, sorry, but this information >> wasn't very hard to find when I needed it.) > > Thanks. I will investigate. This has to work with iPads as well. Yuk!
I would srongly recommend switching to IKEv2 if you can, it is far easier to come up with a config that still gives decent crypto with mixed client platforms. (Internal client on Apple OS and non-ancient Windows - strongswan on Android/Linux). >> I suspect getting IPsec SAs going with both peers behind NAT is tricky. > > I agree. The IPsec side should be ok as long as everything supports nat-t (not unusual).
