[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)

Enrico Brunetta enrico at bitproductions.com
Fri Sep 19 15:15:48 EEST 2014 

Wolfgang,
thanks for the screenshots. I’m starting to think I might have exported my cert the wrong way!

In your screenshorts the private key is part of the cert, but when I imported my p12 cert, I ended up with the private key separate like this:



I had created my cert this way:

certutil -S -k rsa -c rootca -n enrico -s "CN=Enrico Brunetta (VPN), O=bitProductions Inc., L=Austin, ST=TX, C=US" -v 120 -t "u,u,u" -8 vpn.bitproductions.com -d /etc/ipsec.d

and then exported this way:

pk12util -o enrico.p12 -n enrico -d /etc/ipsec.d

Maybe I didn’t export it correctly?



On Sep 19, 2014, at 5:09 AM, Wolfgang Nothdurft <wolfgang at linogate.de> wrote:

> Am 19.09.2014 11:34, schrieb Enrico Brunetta:
>> Wolfgang,
>> 
>> 
>> On the mac I had to import the cert into my system keychain, and then I specifically chose the imported cert when configuring my VPN connection.
>> Don’t really seeany place to change permissions…
>> 
> 
> I don't have a mac here, but as far as I know, you can doubleklick the certificate in the keychain access utility and set access permissions for different programs.
> 
> It should look like this screenshots from our wiki.
> We have only a german version, sorry.
> http://www.linogate.de/de/support/categories/ipsec/mac_keychain-01.png
> http://www.linogate.de/de/support/categories/ipsec/mac_keychain-02.png
> 
>> 
>> Here’s the log on the mac side:
>> 
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec connecting to server vpn.bitproductions.com
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: SCNC: start, triggered by (83299) SystemUIServer, type IPSec, status 0, trafficClass 0
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec Phase1 starting.
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: network changed.
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: accepted connection on vpn control socket.
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IPSec connecting to server 54.84.104.104
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: Connecting.
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IPSec Phase 1 started (Initiated by me).
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: >>>>> phase change status = Phase 1 started by us
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: network changed.
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: >>>>> phase change status = Phase 1 started by peer
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: network changed.
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: error -25308 errSecInteractionNotAllowed.
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to sign.
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to get sign
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to allocate send buffer
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: transmit failed. (Initiator, Main-Mode Message 5).
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to process packet.
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: Phase 1 negotiation failed.
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec Controller: IKE FAILED. phase 3, assert 0
>> Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec disconnecting from server 54.84.104.104
>> 
> 
> From https://developer.apple.com/library/ios/documentation/Security/Reference/keychainservices/index.html#//apple_ref/c/econst/errSecInteractionNotAllowed
> 
> Interaction with the Security Server is not allowed.
> Value
> 
> –25308
> Description
> 
> Wolfgang
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140919/1502f067/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2014-09-19 at 7.12.14 AM.png
Type: image/png
Size: 9102 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140919/1502f067/attachment-0001.png>

More information about the Swan mailing list