[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)

Paul Wouters paul at nohats.ca
Tue Sep 16 23:06:45 EEST 2014 

On Tue, 16 Sep 2014, Enrico Brunetta wrote:

> I just successfully configured libreswan to use a PSK setup, but I’m having problems with the XAUTH and X509 certs setup. I’m trying to connect from OS X using Cisco VPN mode.

> # add to /etc/ipsec.secrets:
> : RSA enrico
> @enrico : XAUTH “MyPassword”

That entry is only used for clients, not servers. For servers you need
to decide how to authenticate. See man ipsec.conf for xauthby=

If you want to use file based xauth passwords, you can use:

touch /etc/ipsec.d/passwd
chmod 600 /etc/ipsec.d/passwd
htpasswd -d /etc/ipsec.d/passwd enrico

> this is what I think I should add to /etc/ipsec.conf, but I’m not sure since it doesn’t seem to work.

I'm asuming you were describing the server side ipsec.conf (since you
mention iphone/osx clients):

> conn xauth-rsa
>  connaddrfamily=ipv4
>  auto=add
>  authby=rsasig
>  pfs=no
>  rekey=no
>  leftxauthserver=yes
>  rightxauthclient=yes
>  left=172.31.28.183
>  leftcert=enrico

That leftcert should be the vpn server cert, not the client cert.

>  leftid=vpn.bitproductions.com
>  leftsendcert=always
>  leftnexthop=%defaultroute

should be able to leave out the leftnexthop.

>  leftsubnet=172.31.28.183/32

That should be 0.0.0.0/0

>  leftprotoport=17/1701
>  rightprotoport=17/%any

Remove these two. This is not L2TP anymore.

>  right=%any
>  rightid=%fromcert
>  rightrsasigkey=%cert
>  rightsubnetwithin=0.0.0.0/0

You need rightaddresspool=172.31.48.130-172.31.48.254 instead of
rightsubnetwithin.

>  forceencaps=yes

Should not be needed unless your servers is behind NAT in AWS. Looks
like it might be though since it uses 172.31 IPs.

>  type=transport

Remove, this is not L2TP anymore.

>  xauthby=alwaysok

Or see above for file passwords. But if you have unique certificates,
and you think that's enough, than you can use alwaysok.

>  ike_frag=yes
>  dpddelay=30
>  dpdtimeout=120
>  dpdaction=clear
>
> I’m not really sure which cert I should use in leftcert: if I should use my cert (enrico). If so, it is my intention to support multiple road warriors, so I’m not sure if I should have a separate section in the confir for each user or if there’s a way to trust any cert signed by the root CA…

You need to create a certificate for the vpn server just like you
generate certs for endusers. Be aware you should put the DNS name in the
subjectAltname= field for OSX/iOS to be happy.

Paul

More information about the Swan mailing list