[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)

Enrico Brunetta enrico at bitproductions.com
Fri Sep 19 12:34:28 EEST 2014 

Wolfgang,


On the mac I had to import the cert into my system keychain, and then I specifically chose the imported cert when configuring my VPN connection. 
Don’t really seeany place to change permissions…


Here’s the log on the mac side:

Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec connecting to server vpn.bitproductions.com
Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: SCNC: start, triggered by (83299) SystemUIServer, type IPSec, status 0, trafficClass 0
Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec Phase1 starting.
Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: network changed.
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: accepted connection on vpn control socket.
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IPSec connecting to server 54.84.104.104
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: Connecting.
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IPSec Phase 1 started (Initiated by me).
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: >>>>> phase change status = Phase 1 started by us
Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: network changed.
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: >>>>> phase change status = Phase 1 started by peer
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: network changed.
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: error -25308 errSecInteractionNotAllowed.
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to sign.
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to get sign
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to allocate send buffer
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: transmit failed. (Initiator, Main-Mode Message 5).
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to process packet.
Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: Phase 1 negotiation failed.
Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec Controller: IKE FAILED. phase 3, assert 0
Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec disconnecting from server 54.84.104.104

On Sep 19, 2014, at 4:02 AM, Wolfgang Nothdurft <wolfgang at linogate.de> wrote:

> Am 18.09.2014 15:25, schrieb Paul Wouters:
>> On Thu, 18 Sep 2014, Enrico Brunetta wrote:
>> 
>>> Now it looks like the connection is found but it fails differently:
>>> 
>>> Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Starting Pluto
>>> (Libreswan Version 3.10 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG
>>> XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:2054
>> 
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
>>> 70.117.100.63:500: received Vendor ID payload [XAUTH]
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
>>> 70.117.100.63:500: received Vendor ID payload [Cisco-Unity]
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
>>> 70.117.100.63:500: received Vendor ID payload [FRAGMENTATION 80000000]
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from
>>> 70.117.100.63:500: received Vendor ID payload [Dead Peer Detection]
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>>> 70.117.100.63 #1: enabling possible NAT-traversal with method RFC 3947
>>> (NAT-Traversal)
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>>> 70.117.100.63 #1: responding to Main Mode from unknown peer 70.117.100.63
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>>> 70.117.100.63 #1: transition from state STATE_MAIN_R0 to state
>>> STATE_MAIN_R1
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>>> 70.117.100.63 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>>> 70.117.100.63 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)
>>> sender port 500: I am behind NAT+peer behind NAT
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>>> 70.117.100.63 #1: transition from state STATE_MAIN_R1 to state
>>> STATE_MAIN_R2
>>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1]
>>> 70.117.100.63 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>>> Sep 18 11:54:17 ip-172-31-48-104 pluto[2054]: ERROR: asynchronous
>>> network error report on eth0 (sport=500) for message to 70.117.100.63
>>> port 500, complainant 70.117.100.63: Connection refused [errno 111,
>>> origin ICMP type 3 code 3 (not authenticated)]
>> 
>> This looks like a fragmentation issue, or MTU/firewall issue. Try
>> ike-frag=force, as the cisco you are talking to seems to support
>> FRAGMENTATION. If that fails, you can try to lower the mtu of your
>> interface a little.
>> 
> 
> 
> This also can happen if the vpn service is not allowed to read the certificate. The vpn service will stop to listen on udp/500 than.
> 
> Can you check the permissions of the certificate in the keychain settings on your mac or check the log on mac site.
> 
> Wolfgang
>

More information about the Swan mailing list