[Swan] LibreSwan with NetworkManger
Gareth Williams
gareth at garethwilliams.me.uk
Thu Aug 7 08:57:00 EEST 2014
I've been trying to get LibreSwan (on a CentOS 7 server) to work with
NetworkManager (on Fedora 20 as a road-warrior) for the last week or so
and have failed.
/etc/ipsec.conf' on the left/server side is:-
config setup
# virtual_private=%v4:10.7.0.0/24,%v4:192.168.0.0/8
# nat_traversal=yes
conn xauth-rsa
# aggrmode=yes
authby=rsasig
auto=add
pfs=no
rekey=no
left=178.62.53.49
leftcert=LibreSwan
leftid=%fromcert
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=10.7.0.2-10.7.0.10
right=%any
rightrsasigkey=%cert
modecfgdns1=8.8.8.8
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=pam
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike_frag=yes
which I got from:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
(para 4.7.8)
On NetworkManager's openSwan config, I've got the defaults, with the
addition of:
Gateway = <my server's hostname>
Group Name = <I don't know what goes here, but I have to put something>
User Password = <the PAM password for me as known by the server>
Group Password = Not Required
Username = <my username on the server>
I switch off the firewall on the server when I try to connect for now
and this is what I receive when I follow the logs with `journalctl -fu
ipsec`:
-- Logs begin at Thu 2014-08-07 06:24:21 BST. --
Aug 07 06:52:55 <my FQDN> pluto[11098]: listening for IKE messages
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface tun0/tun0
10.8.0.1:500
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface eth0/eth0
178.62.53.49:500
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface lo/lo 127.0.0.1:500
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface lo/lo ::1:500
Aug 07 06:52:55 <my FQDN> pluto[11098]: loading secrets from
"/etc/ipsec.secrets"
Aug 07 06:52:55 <my FQDN> pluto[11098]: no secrets filename matched
"/etc/ipsec.d/*.secrets"
Aug 07 06:52:55 <my FQDN> pluto[11098]: loaded private key for keyid:
PPK_RSA:AwEAAb0fm
Aug 07 06:52:56 <my FQDN> pluto[11098]: loading certificate from LibreSwan
Aug 07 06:52:56 <my FQDN> pluto[11098]: added connection description
"xauth-rsa"
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
received Vendor ID payload [Dead Peer Detection]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring received Vendor ID payload [RFC 3947] method=RFC 3947
(NAT-Traversal), because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring Vendor ID payload [RFC 3947]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
received Vendor ID payload [XAUTH]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
received Vendor ID payload [FRAGMENTATION]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
initial Aggressive Mode message from x.y.77.197 but no (wildcard)
connection has been configured with policy=PSK+XAUTH+AGGRESSIVE
I've tried to set the server to aggressive with `aggrmode=yes` but it
has no effect.
Am I correct in assuming that the PSK+XAUTH+AGGRESSIVE is what
NetworkManager is trying to connect by? In which case, am I wasting
time trying to connect using X509 certs as per the website?
I've Googled until my eyes bleed, but can't find a guide on setting up
LibreSwan to work with NetwokManager.
Any assistance would be greatly appreciated.
Regards,
Gareth
More information about the Swan
mailing list