[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)
Paul Wouters
paul at nohats.ca
Wed Sep 17 03:48:21 EEST 2014
On Tue, 16 Sep 2014, Enrico Brunetta wrote:
> You say leftcert should be the vpn server cert and not my own cert, so I went ahead and created a cert for the server.
>
> Now is the server cert the one I need to export and then import on my Mac system keychain to then use on the Cisco VPN connection setting, or should that be my own cert (enrico) ?
No you should import your enrico cert on the mac. Remember to both
import the p12 file and the cacert.pem separately - OSX/iOS is stupid
like that.
> Sep 17 00:17:01 ip-172-31-48-104 pluto[2266]: packet from 70.117.100.63:500: received Vendor ID payload [Dead Peer Detection]
> Sep 17 00:17:01 ip-172-31-48-104 pluto[2266]: packet from 70.117.100.63:500: initial Main Mode message received on 172.31.48.104:500 but no connection has been authorized with policy=RSASIG+XAUTH
>
> with this new ipsec.conf file:
> version 2.0
>
> config setup
> dumpdir=/var/run/pluto/
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.31.48.129/25
> oe=off
> protostack=netkey
> nhelpers=0
> interfaces=%defaultroute
>
> conn xauth-rsa
> connaddrfamily=ipv4
> auto=add
> authby=rsasig
> pfs=no
> rekey=no
> leftxauthserver=yes
> rightxauthclient=yes
> left=172.31.28.183
> leftcert=vpn.bitproductions.com
> leftid=vpn.bitproductions.com
you most likely mean leftid=@vpn.bitproductions.com
> leftsendcert=always
> # leftnexthop=%defaultroute
> leftsubnet=0.0.0.0/0
> right=%any
> rightid=%fromcert
> rightrsasigkey=%cert
> rightaddresspool=172.31.48.130-172.31.48.254
> forceencaps=yes
> xauthfail=soft
> xauthby=alwaysok
> ike_frag=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
You are missing modecfgpull=yes. See
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH
Did your connection load? run ipsec auto --add xauth-rsa
Did your certificates load? run ipsec auto --listall and look for the
CAcert and the vpn.bitproductions.com cert.
Paul
More information about the Swan
mailing list