[Swan] newb confusion

Brendan Kearney bpk678 at gmail.com
Mon Mar 13 18:36:35 UTC 2017 

On 03/12/2017 06:12 PM, Paul Wouters wrote:
> On Sun, 12 Mar 2017, Brendan Kearney wrote:
>
>> i am looking to setup ipsec and have read a lot about what i am 
>> trying to do, but still come up short. ultimately, i would like to 
>> have site-to-site tunnels along with road warrior tunnels.  i am not 
>> sure if this config will run on a single libreswan instance, but have 
>> not found anything indicating it will not work.  can this be 
>> confirmed, as something that will work?
>
> Yes that can work together. Just add different conn sections, and use
> different IDs to make your life easiest.
great, thanks for confirming
>
>> i have an android device (running 4.4.2 kitkat), and libreswan 3.13.1 
>> on fedora 20 (soon to be updated), and cannot get a road warrior 
>> config working.
>
> Note that android's native IPsec support uses racoon that only supports
> IKEv1, and not IKEv2. Note also that android kernels all use a broken
> version of SHA2_256 for IPsec.
>
> It would be good if you can upgrade libreswan to 3.19. Since fedora
> contains up to date libreswan's, simply updating your fedora machine
> should get you a new enough libreswan.
an upgrade is in the works, but will be a little bit before i can get 
that done.
>
>> i have NAT-T setup, and there does not seem to be any issues with 
>> getting the traffic to the ipsec instance.  it seem that i cannot get 
>> tunnel parameters agreed upon, and phase 1 never completes.  with the 
>> below in "android.conf", i attempt to connect from my android device
>>
>> conn android
>>    #ikev2=insist
>>    left=0.0.0.0
>>    leftprotoport=17/%any
>>    right=192.168.184.1
>>    rightprotoport=17/1701
>>    authby=secret
>>    pfs=no
>>    # use auto=start when done testing the tunnel
>>    auto=add
>
> To get android to connect, you need to give it an IP address. Either you
> need to use IKEv1 XAUTH with addresspool= or you need to use L2TP/IPsec
> where the l2tp/ppp layer will hand out an IP address.
>
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK 
>
>
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP 
>
>
> If you are using only one client, you can get away with hardcoding the
> one IP address you want to hand out as a subnet/32.
i am working on L2TP with PPP pointing to RADIUS
>
>> in my logs, i see the below entries:
>>
>> "android"[10] 192.168.24.133 #10: transition from state 
>> STATE_IKEv2_START to state STATE_PARENT_R1
>> "android"[10] 192.168.24.133 #10: STATE_PARENT_R1: received v2I1, 
>> sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=sha 
>> group=MODP1024}
>> "android"[10] 192.168.24.133 #10: new NAT mapping for #10, was 
>> 192.168.24.133:500, now 192.168.24.133:60500
>> "android"[10] 192.168.24.133 #10: new NAT mapping for #10, was 
>> 192.168.24.133:60500, now 192.168.24.133:64500
>> "android"[10] 192.168.24.133 #10: IKEv2 mode peer ID is ID_USER_FQDN: 
>> 'brendan at bpk2.com' | CHILD SA proposals received |
>
> I'm a little confused, as I am seeing IKEv2 and not IKEv1. Are you using
> the strongswan client on android? In that case, you want to look at:
>
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
>
> Paul
android 4.4.2 gives options for advanced IPSec VPNs:

pre-shared key (IKEv1)
pre-shared key (IKEv2)
certificate (IKEv1)
certificate (IKEv2)
EAP and certificate (IKEv2)
L2TP pre-shared key (IKEv1)
L2TP certificate (IKEv1)
SecurID (IKEv1)

i selected PSK IKEv2, which does not look like it matches what i am 
trying to do on the server side.  more digging to do...

thanks,

brendan

More information about the Swan mailing list