[Swan] newb confusion

Paul Wouters paul at nohats.ca
Sun Mar 12 22:12:24 UTC 2017


On Sun, 12 Mar 2017, Brendan Kearney wrote:

> i am looking to setup ipsec and have read a lot about what i am trying to do, 
> but still come up short.  ultimately, i would like to have site-to-site 
> tunnels along with road warrior tunnels.  i am not sure if this config will 
> run on a single libreswan instance, but have not found anything indicating it 
> will not work.  can this be confirmed, as something that will work?

Yes that can work together. Just add different conn sections, and use
different IDs to make your life easiest.

> i have an android device (running 4.4.2 kitkat), and libreswan 3.13.1 on 
> fedora 20 (soon to be updated), and cannot get a road warrior config working.

Note that android's native IPsec support uses racoon that only supports
IKEv1, and not IKEv2. Note also that android kernels all use a broken
version of SHA2_256 for IPsec.

It would be good if you can upgrade libreswan to 3.19. Since fedora
contains up to date libreswan's, simply updating your fedora machine
should get you a new enough libreswan.

> i have NAT-T setup, and there does not seem to be any issues with getting the 
> traffic to the ipsec instance.  it seem that i cannot get tunnel parameters 
> agreed upon, and phase 1 never completes.  with the below in "android.conf", 
> i attempt to connect from my android device
>
> conn android
>    #ikev2=insist
>    left=0.0.0.0
>    leftprotoport=17/%any
>    right=192.168.184.1
>    rightprotoport=17/1701
>    authby=secret
>    pfs=no
>    # use auto=start when done testing the tunnel
>    auto=add

To get android to connect, you need to give it an IP address. Either you
need to use IKEv1 XAUTH with addresspool= or you need to use L2TP/IPsec
where the l2tp/ppp layer will hand out an IP address.

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP

If you are using only one client, you can get away with hardcoding the
one IP address you want to hand out as a subnet/32.

> in my logs, i see the below entries:
>
> "android"[10] 192.168.24.133 #10: transition from state STATE_IKEv2_START to 
> state STATE_PARENT_R1
> "android"[10] 192.168.24.133 #10: STATE_PARENT_R1: received v2I1, sent v2R1 
> {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}
> "android"[10] 192.168.24.133 #10: new NAT mapping for #10, was 
> 192.168.24.133:500, now 192.168.24.133:60500
> "android"[10] 192.168.24.133 #10: new NAT mapping for #10, was 
> 192.168.24.133:60500, now 192.168.24.133:64500
> "android"[10] 192.168.24.133 #10: IKEv2 mode peer ID is ID_USER_FQDN: 
> 'brendan at bpk2.com' | CHILD SA proposals received |

I'm a little confused, as I am seeing IKEv2 and not IKEv1. Are you using
the strongswan client on android? In that case, you want to look at:

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

Paul


More information about the Swan mailing list