[Swan] LibreSwan with NetworkManger

Gareth Williams gareth at garethwilliams.me.uk
Thu Aug 7 08:57:00 EEST 2014 

I've been trying to get LibreSwan (on a CentOS 7 server) to work with 
NetworkManager (on Fedora 20 as a road-warrior) for the last week or so 
and have failed.

/etc/ipsec.conf' on the left/server side is:-

config setup

#    virtual_private=%v4:10.7.0.0/24,%v4:192.168.0.0/8
#    nat_traversal=yes

conn xauth-rsa
#    aggrmode=yes
     authby=rsasig
     auto=add
     pfs=no
     rekey=no
     left=178.62.53.49
     leftcert=LibreSwan
     leftid=%fromcert
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     rightaddresspool=10.7.0.2-10.7.0.10
     right=%any
     rightrsasigkey=%cert
     modecfgdns1=8.8.8.8
     leftxauthserver=yes
     rightxauthclient=yes
     leftmodecfgserver=yes
     rightmodecfgclient=yes
     modecfgpull=yes
     xauthby=pam
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     ike_frag=yes

which I got from:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
(para 4.7.8)

On NetworkManager's openSwan config, I've got the defaults, with the 
addition of:

Gateway = <my server's hostname>
Group Name = <I don't know what goes here, but I have to put something>
User Password = <the PAM password for me as known by the server>
Group Password = Not Required
Username = <my username on the server>

I switch off the firewall on the server when I try to connect for now 
and this is what I receive when I follow the logs with `journalctl -fu 
ipsec`:

-- Logs begin at Thu 2014-08-07 06:24:21 BST. --
Aug 07 06:52:55 <my FQDN> pluto[11098]: listening for IKE messages
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface tun0/tun0 
10.8.0.1:500
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface eth0/eth0 
178.62.53.49:500
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface lo/lo 127.0.0.1:500
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface lo/lo ::1:500
Aug 07 06:52:55 <my FQDN> pluto[11098]: loading secrets from 
"/etc/ipsec.secrets"
Aug 07 06:52:55 <my FQDN> pluto[11098]: no secrets filename matched 
"/etc/ipsec.d/*.secrets"
Aug 07 06:52:55 <my FQDN> pluto[11098]: loaded private key for keyid: 
PPK_RSA:AwEAAb0fm
Aug 07 06:52:56 <my FQDN> pluto[11098]: loading certificate from LibreSwan
Aug 07 06:52:56 <my FQDN> pluto[11098]: added connection description 
"xauth-rsa"
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
received Vendor ID payload [Dead Peer Detection]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
ignoring received Vendor ID payload [RFC 3947] method=RFC 3947 
(NAT-Traversal), because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
ignoring Vendor ID payload [RFC 3947]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
received Vendor ID payload [XAUTH]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
received Vendor ID payload [FRAGMENTATION]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500: 
initial Aggressive Mode message from x.y.77.197 but no (wildcard) 
connection has been configured with policy=PSK+XAUTH+AGGRESSIVE

I've tried to set the server to aggressive with `aggrmode=yes` but it 
has no effect.

Am I correct in assuming that the PSK+XAUTH+AGGRESSIVE is what 
NetworkManager is trying to connect by?  In which case, am I wasting 
time trying to connect using X509 certs as per the website?

I've Googled until my eyes bleed, but can't find a guide on setting up 
LibreSwan to work with NetwokManager.

Any assistance would be greatly appreciated.

Regards,

Gareth

More information about the Swan mailing list