[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)
Enrico Brunetta
enrico at bitproductions.com
Tue Sep 16 22:55:56 EEST 2014
Hello there,
I just successfully configured libreswan to use a PSK setup, but I’m having problems with the XAUTH and X509 certs setup. I’m trying to connect from OS X using Cisco VPN mode.
Here’s what my successful configuration looks like using L2TP over IPSEC and PSK:
/etc/ipsec.conf:
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.31.48.129/25
oe=off
protostack=netkey
nhelpers=0
interfaces=%defaultroute
conn vpnpsk
connaddrfamily=ipv4
auto=add
left=$PRIVATE_IP
leftid=$PUBLIC_IP
leftsubnet=$PRIVATE_IP/32
leftnexthop=%defaultroute
leftprotoport=17/1701
rightprotoport=17/%any
right=%any
rightsubnetwithin=0.0.0.0/0
forceencaps=yes
authby=secret
pfs=no
type=transport
auth=esp
ike=3des-sha1,aes-sha1
phase2alg=3des-sha1,aes-sha1
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
this is what I have on my /etc/xl2tpd/xl2tpd.conf:
[global]
port = 1701
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default]
ip range = 172.31.48.130-172.31.48.254
local ip = 172.31.48.129
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
this is my /etc/ppp/options.xl2tpd:
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idle 1800
mtu 1280
mru 1280
lock
lcp-echo-failure 10
lcp-echo-interval 60
connect-delay 5000
As I said with the configuration above, I’m able to connect to my VPN from my mac, using L2TP over IPSEC mode. All works great, and I can support multiple users.
Now, here are the steps I tried to use to configure the XAUTH/NSS setup:
# init nss
ipsec initnss
# create a root CA for VPN certs
certutil -S -k rsa -n rootca -s "CN=bitProductions VPN Certification Authority, O=bitProductions Inc., L=Austin, ST=TX, C=US" -v 120 -d . -t "C,C,C" -x -d /etc/ipsec.d
#create a cert for myself
certutil -S -k rsa -c rootca -n enrico -s "CN=Enrico Brunetta (VPN), O=bitProductions Inc., L=Austin, ST=TX, C=US" -v 120 -t "u,u,u" -8 vpn.bitproductions.com -d /etc/ipsec.d
#Export my cert (so I can use it on my mac)
pk12util -o enrico.p12 -n enrico -d /etc/ipsec.d
# add to /etc/ipsec.secrets:
: RSA enrico
@enrico : XAUTH “MyPassword”
this is what I think I should add to /etc/ipsec.conf, but I’m not sure since it doesn’t seem to work.
conn xauth-rsa
connaddrfamily=ipv4
auto=add
authby=rsasig
pfs=no
rekey=no
leftxauthserver=yes
rightxauthclient=yes
left=172.31.28.183
leftcert=enrico
leftid=vpn.bitproductions.com
leftsendcert=always
leftnexthop=%defaultroute
leftsubnet=172.31.28.183/32
leftprotoport=17/1701
rightprotoport=17/%any
right=%any
rightid=%fromcert
rightrsasigkey=%cert
rightsubnetwithin=0.0.0.0/0
forceencaps=yes
type=transport
xauthby=alwaysok
ike_frag=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
I’m not really sure which cert I should use in leftcert: if I should use my cert (enrico). If so, it is my intention to support multiple road warriors, so I’m not sure if I should have a separate section in the confir for each user or if there’s a way to trust any cert signed by the root CA…
Any help would be greatly appreciated…
Enrico.
More information about the Swan
mailing list