[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)
Paul Wouters
paul at nohats.ca
Tue Sep 16 23:06:45 EEST 2014
On Tue, 16 Sep 2014, Enrico Brunetta wrote:
> I just successfully configured libreswan to use a PSK setup, but I’m having problems with the XAUTH and X509 certs setup. I’m trying to connect from OS X using Cisco VPN mode.
> # add to /etc/ipsec.secrets:
> : RSA enrico
> @enrico : XAUTH “MyPassword”
That entry is only used for clients, not servers. For servers you need
to decide how to authenticate. See man ipsec.conf for xauthby=
If you want to use file based xauth passwords, you can use:
touch /etc/ipsec.d/passwd
chmod 600 /etc/ipsec.d/passwd
htpasswd -d /etc/ipsec.d/passwd enrico
> this is what I think I should add to /etc/ipsec.conf, but I’m not sure since it doesn’t seem to work.
I'm asuming you were describing the server side ipsec.conf (since you
mention iphone/osx clients):
> conn xauth-rsa
> connaddrfamily=ipv4
> auto=add
> authby=rsasig
> pfs=no
> rekey=no
> leftxauthserver=yes
> rightxauthclient=yes
> left=172.31.28.183
> leftcert=enrico
That leftcert should be the vpn server cert, not the client cert.
> leftid=vpn.bitproductions.com
> leftsendcert=always
> leftnexthop=%defaultroute
should be able to leave out the leftnexthop.
> leftsubnet=172.31.28.183/32
That should be 0.0.0.0/0
> leftprotoport=17/1701
> rightprotoport=17/%any
Remove these two. This is not L2TP anymore.
> right=%any
> rightid=%fromcert
> rightrsasigkey=%cert
> rightsubnetwithin=0.0.0.0/0
You need rightaddresspool=172.31.48.130-172.31.48.254 instead of
rightsubnetwithin.
> forceencaps=yes
Should not be needed unless your servers is behind NAT in AWS. Looks
like it might be though since it uses 172.31 IPs.
> type=transport
Remove, this is not L2TP anymore.
> xauthby=alwaysok
Or see above for file passwords. But if you have unique certificates,
and you think that's enough, than you can use alwaysok.
> ike_frag=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
>
> I’m not really sure which cert I should use in leftcert: if I should use my cert (enrico). If so, it is my intention to support multiple road warriors, so I’m not sure if I should have a separate section in the confir for each user or if there’s a way to trust any cert signed by the root CA…
You need to create a certificate for the vpn server just like you
generate certs for endusers. Be aware you should put the DNS name in the
subjectAltname= field for OSX/iOS to be happy.
Paul
More information about the Swan
mailing list