[Swan] LibreSwan with NetworkManger

Gareth Williams gareth at garethwilliams.me.uk
Sun Aug 10 00:25:58 EEST 2014


On 07/08/14 17:14, Paul Wouters wrote:

>> Am I correct in assuming that the PSK+XAUTH+AGGRESSIVE is what 
>> NetworkManager is trying to connect by?  In which case, am I wasting 
>> time trying to connect using X509 certs as per the website?
>
> Probably :(
>
On the back of that, I've dumped the idea of using X509 and have tried 
to configure LibreSwan to use PSK and XAUTH in aggressive mode (I 
believe there are security risks here, but I'm only testing this out and 
it seems to be the only option NetworkManager gives me).

I've configured the server as follows:

config setup
      protostack=netkey
      interfaces=eth0
      virtual_private=%v4:10.7.0.0/24,%v4:192.168.0.0/8
      nat_traversal=yes

conn <server FQDN>
     authby=secret
     pfs=no
     auto=add
     rekey=no
     aggrmode=yes
     left=<server IP>
     rightaddresspool=10.7.0.5-10.7.0.10
     right=%any
     rightnexthop=%defaultroute
     modecfgdns1=8.8.8.8
     ike=3des-sha1,aes-sha1,aes
     phase2alg=3des-sha1,aes-sha1,aes
     leftxauthserver=yes
     rightxauthclient=yes
     leftmodecfgserver=yes
     rightmodecfgclient=yes
     xauthby=alwaysok
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear

And the NetworkManager client has defaults, with the exception of:

Gateway: <FQDN of LibreSwan server>
Group Password: <shared key>
Username: <my username, although using xauthby=alwaysok for testing>
Phase 1 Algorithm: 3des-sha1,aes-sha1,aes
Phase 2 Algorithm: 3des-sha1,aes-sha1,aes

When I attempt to connect, I get what I believe is a good set of logs on 
the server up to:

Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] 
<Roadwarrior public IP> #7: STATE_MODE_CFG_R2: ModeCfg R2
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] 
<Roadwarrior public IP> #7: Dead Peer Detection (RFC 3706): enabled
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] 
<Roadwarrior public IP> #7: the peer proposed: <Server IP>/32:0/0 -> 
10.7.0.6/32:0/0
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] 
<Roadwarrior public IP> #8: responding to Quick Mode proposal 
{msgid:0e51ee33}
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] 
<Roadwarrior public IP> #8:     us: <Server IP><<Server IP>>[MS+XS+S=C]
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] 
<Roadwarrior public IP> #8:   them: <Roadwarrior public IP>[@<server 
FQDN>xx,+MC+XC+S=C]===10.7.0.6/32
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] 
<Roadwarrior public IP> #8: transition from state STATE_QUICK_R0 to 
state STATE_QUICK_R1
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] 
<Roadwarrior public IP> #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA 
installed, expecting QI2

at which point, it hangs.  A while later it complains of no response and 
dies.

On the roadwarrior's logs, I get:

Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #1: 
Received IP address 10.7.0.6/32
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #1: 
setting ip source address to 10.7.0.6/32
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #1: 
transition from state STATE_XAUTH_I1 to state STATE_MAIN_I4
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #1: 
STATE_MAIN_I4: ISAKMP SA established
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #2: 
initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+IKE_FRAG {using 
isakmp#1 msgid:0e51ee33 proposal=3DES(3)_192-SHA1(2)_160, 
AES(12)_256-SHA1(2)_160, AES(12)_256-MD5(1)_128 
pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #2: 
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #2: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP=>0x39542f44 <0x92d97947 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none 
DPD=none XAUTHuser=gareth}
Aug 09 22:10:31 localhost.localdomain pluto[4386]: "nm-conn1" #2: ERROR: 
asynchronous network error report on wlp8s0 (sport=500) for message to 
<server IP> port 500, complainant 192.168.0.6: No route to host [errno 
113, origin ICMP type 3 code 1 (not authenticated)]

Which even with my meagre skills, can see is a routing problem.

A constant ping on the LibreSwan server fails as soon as I attempt to 
connect and restarts as soon as the connection fails.

If I display my roadwarrior's routing table when this is happening, I get:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref Use Iface
default         192.168.0.1     0.0.0.0         UG    1024 0        0 wlp8s0
<Server FQDN>  0.0.0.0         255.255.255.255 UH    0 0        0 wlp8s0
192.168.0.0     0.0.0.0         255.255.255.0   U     0 0        0 wlp8s0

The <Server FQDN> entry wasn't there before I tried to connect and 
disappears as soon as Network Manager gives up on the connection.

My question is - what configuration option puts this extra line in the 
roadwarrior's routing table?  And how do I get rid of it?

Thanks in advance for your help,

Gareth


More information about the Swan mailing list