[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)

Enrico Brunetta enrico at bitproductions.com
Tue Sep 16 22:55:56 EEST 2014


Hello there,

I just successfully configured libreswan to use a PSK setup, but I’m having problems with the XAUTH and X509 certs setup. I’m trying to connect from OS X using Cisco VPN mode.

Here’s what my successful configuration looks like using L2TP over IPSEC and PSK:

/etc/ipsec.conf:

version 2.0

config setup
  dumpdir=/var/run/pluto/
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.31.48.129/25
  oe=off
  protostack=netkey
  nhelpers=0
  interfaces=%defaultroute

conn vpnpsk
  connaddrfamily=ipv4
  auto=add
  left=$PRIVATE_IP
  leftid=$PUBLIC_IP
  leftsubnet=$PRIVATE_IP/32
  leftnexthop=%defaultroute
  leftprotoport=17/1701
  rightprotoport=17/%any
  right=%any
  rightsubnetwithin=0.0.0.0/0
  forceencaps=yes
  authby=secret
  pfs=no
  type=transport
  auth=esp
  ike=3des-sha1,aes-sha1
  phase2alg=3des-sha1,aes-sha1
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear

this is what I have on my /etc/xl2tpd/xl2tpd.conf:

[global]
port = 1701

;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes

[lns default]
ip range = 172.31.48.130-172.31.48.254
local ip = 172.31.48.129
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

this is my /etc/ppp/options.xl2tpd:
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idle 1800
mtu 1280
mru 1280
lock
lcp-echo-failure 10
lcp-echo-interval 60
connect-delay 5000


As I said with the configuration above, I’m able to connect to my VPN from my mac, using L2TP over IPSEC mode. All works great, and I can support multiple users.



Now, here are the steps I tried to use to configure the XAUTH/NSS setup:

# init nss

ipsec initnss

# create a root CA for VPN certs

certutil -S -k rsa -n rootca -s "CN=bitProductions VPN Certification Authority, O=bitProductions Inc., L=Austin, ST=TX, C=US" -v 120 -d . -t "C,C,C" -x -d /etc/ipsec.d

#create a cert for myself
certutil -S -k rsa -c rootca -n enrico -s "CN=Enrico Brunetta (VPN), O=bitProductions Inc., L=Austin, ST=TX, C=US" -v 120 -t "u,u,u" -8 vpn.bitproductions.com -d /etc/ipsec.d

#Export my cert (so I can use it on my mac)

pk12util -o enrico.p12 -n enrico -d /etc/ipsec.d


# add to /etc/ipsec.secrets:
 : RSA enrico
 @enrico : XAUTH “MyPassword”


this is what I think I should add to /etc/ipsec.conf, but I’m not sure since it doesn’t seem to work.

conn xauth-rsa
  connaddrfamily=ipv4
  auto=add
  authby=rsasig
  pfs=no
  rekey=no
  leftxauthserver=yes
  rightxauthclient=yes
  left=172.31.28.183
  leftcert=enrico
  leftid=vpn.bitproductions.com
  leftsendcert=always
  leftnexthop=%defaultroute
  leftsubnet=172.31.28.183/32
  leftprotoport=17/1701
  rightprotoport=17/%any
  right=%any
  rightid=%fromcert
  rightrsasigkey=%cert
  rightsubnetwithin=0.0.0.0/0
  forceencaps=yes
  type=transport
  xauthby=alwaysok
  ike_frag=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear


I’m not really sure which cert I should use in leftcert: if I should use my cert (enrico). If so, it is my intention to support multiple road warriors, so I’m not sure if I should have a separate section in the confir for each user or if there’s a way to trust any cert signed by the root CA…

Any help would be greatly appreciated…

Enrico.




More information about the Swan mailing list