[Swan] LibreSwan with NetworkManger

Paul Wouters paul at nohats.ca
Sun Aug 17 04:12:01 EEST 2014 

On Sat, 9 Aug 2014, Gareth Williams wrote:

> conn <server FQDN>
>    authby=secret
>    pfs=no
>    auto=add
>    rekey=no
>    aggrmode=yes
>    left=<server IP>
>    rightaddresspool=10.7.0.5-10.7.0.10
>    right=%any
>    rightnexthop=%defaultroute

Can you try leaving out rightnexthop. Older libreswan versions did not
always handle that right.

>    modecfgdns1=8.8.8.8
>    ike=3des-sha1,aes-sha1,aes
>    phase2alg=3des-sha1,aes-sha1,aes

If using aggressive mode, only specify one ike and one phase2alg.

> When I attempt to connect, I get what I believe is a good set of logs on the 
> server up to:

> Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] <Roadwarrior 
> public IP> #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, 
> expecting QI2
>
> at which point, it hangs.

Looks like the last packet response to that got lost.

> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x39542f44 
> <0x92d97947 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none 
> XAUTHuser=gareth}
> Aug 09 22:10:31 localhost.localdomain pluto[4386]: "nm-conn1" #2: ERROR: 
> asynchronous network error report on wlp8s0 (sport=500) for message to 
> <server IP> port 500, complainant 192.168.0.6: No route to host [errno 113, 
> origin ICMP type 3 code 1 (not authenticated)]

It tried to send it and failed?

> Which even with my meagre skills, can see is a routing problem.
>
> A constant ping on the LibreSwan server fails as soon as I attempt to connect 
> and restarts as soon as the connection fails.
>
> If I display my roadwarrior's routing table when this is happening, I get:
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref Use Iface
> default         192.168.0.1     0.0.0.0         UG    1024 0        0 wlp8s0
> <Server FQDN>  0.0.0.0         255.255.255.255 UH    0 0        0 wlp8s0
> 192.168.0.0     0.0.0.0         255.255.255.0   U     0 0        0 wlp8s0
>
> The <Server FQDN> entry wasn't there before I tried to connect and disappears 
> as soon as Network Manager gives up on the connection.
>
> My question is - what configuration option puts this extra line in the 
> roadwarrior's routing table?  And how do I get rid of it?

I don't know but it does look like the updown script is doing that?

Paul

More information about the Swan mailing list