[Swan] LibreSwan with NetworkManger

Nick Howitt nick at howitts.co.uk
Thu Aug 7 10:26:23 EEST 2014 

It does rather look like Networkmanager is trying to use a PSK, but the 
other thing is if you use aggressive mode (which it looks like you are 
receiving) you must specify ike and phase2alg as they are not negoiated.

Nick

On 2014-08-07 06:57, Gareth Williams wrote:
> I've been trying to get LibreSwan (on a CentOS 7 server) to work with
> NetworkManager (on Fedora 20 as a road-warrior) for the last week or
> so and have failed.
> 
> /etc/ipsec.conf' on the left/server side is:-
> 
> config setup
> 
> #    virtual_private=%v4:10.7.0.0/24,%v4:192.168.0.0/8
> #    nat_traversal=yes
> 
> conn xauth-rsa
> #    aggrmode=yes
>     authby=rsasig
>     auto=add
>     pfs=no
>     rekey=no
>     left=178.62.53.49
>     leftcert=LibreSwan
>     leftid=%fromcert
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     rightaddresspool=10.7.0.2-10.7.0.10
>     right=%any
>     rightrsasigkey=%cert
>     modecfgdns1=8.8.8.8
>     leftxauthserver=yes
>     rightxauthclient=yes
>     leftmodecfgserver=yes
>     rightmodecfgclient=yes
>     modecfgpull=yes
>     xauthby=pam
>     dpddelay=30
>     dpdtimeout=120
>     dpdaction=clear
>     ike_frag=yes
> 
> which I got from:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
> (para 4.7.8)
> 
> On NetworkManager's openSwan config, I've got the defaults, with the
> addition of:
> 
> Gateway = <my server's hostname>
> Group Name = <I don't know what goes here, but I have to put something>
> User Password = <the PAM password for me as known by the server>
> Group Password = Not Required
> Username = <my username on the server>
> 
> I switch off the firewall on the server when I try to connect for now
> and this is what I receive when I follow the logs with `journalctl -fu
> ipsec`:
> 
> -- Logs begin at Thu 2014-08-07 06:24:21 BST. --
> Aug 07 06:52:55 <my FQDN> pluto[11098]: listening for IKE messages
> Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface tun0/tun0 
> 10.8.0.1:500
> Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface eth0/eth0
> 178.62.53.49:500
> Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface lo/lo 
> 127.0.0.1:500
> Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface lo/lo ::1:500
> Aug 07 06:52:55 <my FQDN> pluto[11098]: loading secrets from
> "/etc/ipsec.secrets"
> Aug 07 06:52:55 <my FQDN> pluto[11098]: no secrets filename matched
> "/etc/ipsec.d/*.secrets"
> Aug 07 06:52:55 <my FQDN> pluto[11098]: loaded private key for keyid:
> PPK_RSA:AwEAAb0fm
> Aug 07 06:52:56 <my FQDN> pluto[11098]: loading certificate from 
> LibreSwan
> Aug 07 06:52:56 <my FQDN> pluto[11098]: added connection description 
> "xauth-rsa"
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> received Vendor ID payload [Dead Peer Detection]
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> ignoring received Vendor ID payload [RFC 3947] method=RFC 3947
> (NAT-Traversal), because port floating is off
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> ignoring Vendor ID payload [RFC 3947]
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> received Vendor ID payload [XAUTH]
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> received Vendor ID payload [FRAGMENTATION]
> Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
> initial Aggressive Mode message from x.y.77.197 but no (wildcard)
> connection has been configured with policy=PSK+XAUTH+AGGRESSIVE
> 
> I've tried to set the server to aggressive with `aggrmode=yes` but it
> has no effect.
> 
> Am I correct in assuming that the PSK+XAUTH+AGGRESSIVE is what
> NetworkManager is trying to connect by?  In which case, am I wasting
> time trying to connect using X509 certs as per the website?
> 
> I've Googled until my eyes bleed, but can't find a guide on setting up
> LibreSwan to work with NetwokManager.
> 
> Any assistance would be greatly appreciated.
> 
> Regards,
> 
> Gareth
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list