[Swan] LibreSwan with NetworkManger
Gareth Williams
gareth at garethwilliams.me.uk
Sun Aug 10 00:25:58 EEST 2014
On 07/08/14 17:14, Paul Wouters wrote:
>> Am I correct in assuming that the PSK+XAUTH+AGGRESSIVE is what
>> NetworkManager is trying to connect by? In which case, am I wasting
>> time trying to connect using X509 certs as per the website?
>
> Probably :(
>
On the back of that, I've dumped the idea of using X509 and have tried
to configure LibreSwan to use PSK and XAUTH in aggressive mode (I
believe there are security risks here, but I'm only testing this out and
it seems to be the only option NetworkManager gives me).
I've configured the server as follows:
config setup
protostack=netkey
interfaces=eth0
virtual_private=%v4:10.7.0.0/24,%v4:192.168.0.0/8
nat_traversal=yes
conn <server FQDN>
authby=secret
pfs=no
auto=add
rekey=no
aggrmode=yes
left=<server IP>
rightaddresspool=10.7.0.5-10.7.0.10
right=%any
rightnexthop=%defaultroute
modecfgdns1=8.8.8.8
ike=3des-sha1,aes-sha1,aes
phase2alg=3des-sha1,aes-sha1,aes
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
xauthby=alwaysok
dpddelay=30
dpdtimeout=120
dpdaction=clear
And the NetworkManager client has defaults, with the exception of:
Gateway: <FQDN of LibreSwan server>
Group Password: <shared key>
Username: <my username, although using xauthby=alwaysok for testing>
Phase 1 Algorithm: 3des-sha1,aes-sha1,aes
Phase 2 Algorithm: 3des-sha1,aes-sha1,aes
When I attempt to connect, I get what I believe is a good set of logs on
the server up to:
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4]
<Roadwarrior public IP> #7: STATE_MODE_CFG_R2: ModeCfg R2
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4]
<Roadwarrior public IP> #7: Dead Peer Detection (RFC 3706): enabled
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4]
<Roadwarrior public IP> #7: the peer proposed: <Server IP>/32:0/0 ->
10.7.0.6/32:0/0
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4]
<Roadwarrior public IP> #8: responding to Quick Mode proposal
{msgid:0e51ee33}
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4]
<Roadwarrior public IP> #8: us: <Server IP><<Server IP>>[MS+XS+S=C]
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4]
<Roadwarrior public IP> #8: them: <Roadwarrior public IP>[@<server
FQDN>xx,+MC+XC+S=C]===10.7.0.6/32
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4]
<Roadwarrior public IP> #8: transition from state STATE_QUICK_R0 to
state STATE_QUICK_R1
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4]
<Roadwarrior public IP> #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
at which point, it hangs. A while later it complains of no response and
dies.
On the roadwarrior's logs, I get:
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #1:
Received IP address 10.7.0.6/32
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #1:
setting ip source address to 10.7.0.6/32
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #1:
transition from state STATE_XAUTH_I1 to state STATE_MAIN_I4
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #1:
STATE_MAIN_I4: ISAKMP SA established
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #2:
initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+IKE_FRAG {using
isakmp#1 msgid:0e51ee33 proposal=3DES(3)_192-SHA1(2)_160,
AES(12)_256-SHA1(2)_160, AES(12)_256-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #2:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 09 22:10:28 localhost.localdomain pluto[4386]: "nm-conn1" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x39542f44 <0x92d97947 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none
DPD=none XAUTHuser=gareth}
Aug 09 22:10:31 localhost.localdomain pluto[4386]: "nm-conn1" #2: ERROR:
asynchronous network error report on wlp8s0 (sport=500) for message to
<server IP> port 500, complainant 192.168.0.6: No route to host [errno
113, origin ICMP type 3 code 1 (not authenticated)]
Which even with my meagre skills, can see is a routing problem.
A constant ping on the LibreSwan server fails as soon as I attempt to
connect and restarts as soon as the connection fails.
If I display my roadwarrior's routing table when this is happening, I get:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 1024 0 0 wlp8s0
<Server FQDN> 0.0.0.0 255.255.255.255 UH 0 0 0 wlp8s0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp8s0
The <Server FQDN> entry wasn't there before I tried to connect and
disappears as soon as Network Manager gives up on the connection.
My question is - what configuration option puts this extra line in the
roadwarrior's routing table? And how do I get rid of it?
Thanks in advance for your help,
Gareth
More information about the Swan
mailing list