[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)

Enrico Brunetta enrico at bitproductions.com
Wed Sep 17 04:35:06 EEST 2014 

On Sep 16, 2014, at 7:48 PM, Paul Wouters <paul at nohats.ca> wrote:

Hmmm, still no go...


> On Tue, 16 Sep 2014, Enrico Brunetta wrote:
> 
>> You say leftcert should be the vpn server cert and not my own cert, so I went ahead and created a cert for the server.
>> 
>> Now is the server cert the one I need to export and then import on my Mac system keychain to then use on the Cisco VPN connection setting, or should that be my own cert (enrico) ?
> 
> No you should import your enrico cert on the mac. Remember to both
> import the p12 file and the cacert.pem separately - OSX/iOS is stupid
> like that.
> 

OK, I imported both separately:



VPN connection is using it:



>> 
>> leftid=vpn.bitproductions.com
> 
> you most likely mean leftid=@vpn.bitproductions.com
> 

Yes, fixed this.

> 
> You are missing modecfgpull=yes. See
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH
> 
OK, added modecfgpull=yes


/etc/ipsec.secrets:
: RSA enrico


> Did your connection load? run ipsec auto --add xauth-rsa
002 "xauth-rsa": deleting connection
002 added connection description "xauth-rsa”


> Did your certificates load? run ipsec auto --listall and look for the
> CAcert and the vpn.bitproductions.com cert.

root at ip-172-31-48-104:~# ipsec auto --listall
000  
000 List of RSA Public Keys:
000  
000 Sep 17 01:24:23 2014, 1024 RSA Key AwEAAdS9l (no private key), until Sep 16 22:04:08 2024 ok
000        ID_FQDN '@vpn.bitproductions.com'
000        Issuer 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
000 Sep 17 01:24:23 2014, 1024 RSA Key AwEAAdS9l (no private key), until Sep 16 22:04:08 2024 ok
000        ID_DER_ASN1_DN 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=VPN Server'
000        Issuer 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000     1: RSA (none) (none)
000  
000 List of X.509 End Certificates:
000 Sep 17 01:24:23 2014, count: 1
000        subject: 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=VPN Server'
000        issuer:  'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
000        serial:   00:a0:66:bd:bf
000        pubkey:   1024 RSA Key AwEAAdS9l
000        validity: not before Sep 16 22:04:08 2014 ok
000                  not after  Sep 16 22:04:08 2024 ok
000  
000 List of X.509 CA Certificates:
000 Sep 17 01:17:27 2014, count: 1
000        subject: 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
000        issuer:  'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
000        serial:   00:a0:66:bd:a5
000        pubkey:   1024 RSA Key AwEAAco/Y
000        validity: not before Sep 16 22:03:58 2014 ok
000                  not after  Sep 16 22:03:58 2024 ok
000  
000 List of X.509 CRLs:


/etc/ipsec.conf is now:
version 2.0

config setup
  dumpdir=/var/run/pluto/
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.31.48.129/25
  oe=off
  protostack=netkey
  nhelpers=0
  interfaces=%defaultroute

conn xauth-rsa
  connaddrfamily=ipv4
  auto=add
  authby=rsasig
  pfs=no
  rekey=no
  leftxauthserver=yes
  rightxauthclient=yes
  modecfgpull=yes
  left=172.31.28.183
  leftcert=vpn.bitproductions.com
  leftid=@vpn.bitproductions.com
  leftsendcert=always
#  leftnexthop=%defaultroute
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%fromcert
  rightrsasigkey=%cert
  rightaddresspool=172.31.48.130-172.31.48.254
  forceencaps=yes
  #xauthfail=soft
  #xauthby=alwaysok
  xauthby=file
  ike_frag=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear

Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: secrets file: /etc/ipsec.secrets
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: leak-detective disabled
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: SAref support [disabled]: Protocol not available
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: SAbind support [disabled]: Protocol not available
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: NSS crypto [enabled]
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: XAUTH PAM support [enabled]
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]:    NAT-Traversal support  [enabled]
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: no crypto helpers will be started; all cryptographic operations will be done inline
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Using Linux XFRM/NETKEY IPsec interface code on 3.13.0-29-generic
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_ccm_8 for IKE
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_ccm_12: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_ccm_12 for IKE
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_ccm_16: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_ccm_16 for IKE
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_gcm_8: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_gcm_8 for IKE
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_gcm_12: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_gcm_12 for IKE
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_gcm_16: Ok (ret=0)
Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_gcm_16 for IKE
Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: added connection description "xauth-rsa"
Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: listening for IKE messages
Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: adding interface eth0/eth0 172.31.48.104:500
Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: adding interface eth0/eth0 172.31.48.104:4500
Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: adding interface lo/lo 127.0.0.1:500
Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: adding interface lo/lo 127.0.0.1:4500
Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: loading secrets from "/etc/ipsec.secrets"
Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: loaded private key for keyid: PPK_RSA:AwEAAbjhb
Sep 17 01:24:23 ip-172-31-48-104 pluto[5416]: "xauth-rsa": deleting connection
Sep 17 01:24:23 ip-172-31-48-104 pluto[5416]: added connection description "xauth-rsa"
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: received Vendor ID payload [RFC 3947]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: received Vendor ID payload [XAUTH]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: received Vendor ID payload [Cisco-Unity]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: received Vendor ID payload [FRAGMENTATION 80000000]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: received Vendor ID payload [Dead Peer Detection]
Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: initial Main Mode message received on 172.31.48.104:500 but no connection has been authorized with policy=RSASIG+XAUTH


Thanks again for any additional help...I promise to write a nice how to when all of this is in place to help newbies like me.

Enrico.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140916/52f5fbd3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2014-09-16 at 8.22.21 PM.png
Type: image/png
Size: 102379 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140916/52f5fbd3/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2014-09-16 at 8.22.40 PM.png
Type: image/png
Size: 111219 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140916/52f5fbd3/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2014-09-16 at 8.27.02 PM.png
Type: image/png
Size: 171202 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140916/52f5fbd3/attachment-0005.png>

More information about the Swan mailing list