[Swan-dev] For Google Summer of Code 2017 aspiring students

Paul Wouters paul at nohats.ca
Sun Mar 12 22:04:11 UTC 2017

Hi students,

I thought it would be a good idea to give students the opportunity to
configure libreswan to run against a known working VPN server (also

It will also allow me to test a recent munin statistics plugin, so you
will actually be helping me by trying to configure your libreswan client
against my server.

The server is vpn.nohats.ca. It uses IKEv2 with certificates as
documented at:


You will need a PKCS#12 certificate to connect to this server. You can
find out how to import this certificate into libreswan at:


Just email me (offlist) to ask for a certificate and I'll email one back.
The certificate can also be used on iOS/OSX and Windows, and on Android
when using the strongswan ipsec client. If you are using iOS/OSX, I can
also give you a .mobileconfig file.

My recommendation is to configure libreswan on a linux machine, so
that it works for the connection to vpn.nohats.ca. If you enable
plutodebug=all in /etc/ipsec.conf, you will get a huge amount of
debugging information that gives you an idea of what is involved in
starting a tunnel. It is okay if your ipsec client is behind NAT. You
can also play with tcpdump to see how this actually looks like.

Another option you can use to gain some experience is to configure
Opportunistic IPsec using LetsEncrypt. See:


For all IPsec connections, you can use "ipsec whack --trafficstatus" to
see if it is working as expected. Or you can run "ipsec status" to get
a developer's view of the libreswan IKE daemon pluto's internal states.

Over the next couple of days, I will also file a number of small bugs
that might be good small exercises to get familiar with the code.

If you have any questions, please ask on the list so that answers can be
shared with all students. Or check the #swan irc channel on FreeNode.


More information about the Swan-dev mailing list