[Swan] For Google Summer of Code 2017 aspiring students
Paul Wouters
paul at nohats.ca
Sun Mar 12 22:04:11 UTC 2017
Hi students,
I thought it would be a good idea to give students the opportunity to
configure libreswan to run against a known working VPN server (also
libreswan).
It will also allow me to test a recent munin statistics plugin, so you
will actually be helping me by trying to configure your libreswan client
against my server.
The server is vpn.nohats.ca. It uses IKEv2 with certificates as
documented at:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
You will need a PKCS#12 certificate to connect to this server. You can
find out how to import this certificate into libreswan at:
https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
Just email me (offlist) to ask for a certificate and I'll email one back.
The certificate can also be used on iOS/OSX and Windows, and on Android
when using the strongswan ipsec client. If you are using iOS/OSX, I can
also give you a .mobileconfig file.
My recommendation is to configure libreswan on a linux machine, so
that it works for the connection to vpn.nohats.ca. If you enable
plutodebug=all in /etc/ipsec.conf, you will get a huge amount of
debugging information that gives you an idea of what is involved in
starting a tunnel. It is okay if your ipsec client is behind NAT. You
can also play with tcpdump to see how this actually looks like.
Another option you can use to gain some experience is to configure
Opportunistic IPsec using LetsEncrypt. See:
https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec_using_LetsEncrypt
For all IPsec connections, you can use "ipsec whack --trafficstatus" to
see if it is working as expected. Or you can run "ipsec status" to get
a developer's view of the libreswan IKE daemon pluto's internal states.
Over the next couple of days, I will also file a number of small bugs
that might be good small exercises to get familiar with the code.
If you have any questions, please ask on the list so that answers can be
shared with all students. Or check the #swan irc channel on FreeNode.
Paul
More information about the Swan
mailing list