[Swan] Libreswan as XAUTH client

[Paul Wouters]

On Mon, 3 Jul 2017, Qasim Bin Mehmood wrote:

> I am using libreswan as an XAUTH client to another libreswan server for remote access VPN aka road warrior. A few things I’d like to
> point out
> 
> 1. Is there a way to reserve an IP address for a client based on username? Server or client side?

Only by using a separate conn entry with separate IDs and a special 1 IP
addresspool.

> 2. The client side doesn’t connect on machine startup and throws this error "We cannot identify ourselves with either end of this
> connection.” It connects fine once I restart the ipsec service. I have read it’s because the ipsec service tries to connect before the
> system has internet connectivity. Can we make the ipsec service to retry the identification automatically?

Seems like you are starting libreswan before your device obtained the IP
configured or its default route. you can run ipsec whack --listen after
obtaining connectivity (like in ppp-up or similar scripts run)

> 3. On the client side, if the connection drops but the interface stays up, e.g. ISP link goes down, it won’t release the VPN IP from its
> interface. Any ideas?

Once the connection goes "down" it should remove the IP from the
interface. Possibly libreswan does not "know yet" that the link
is down? You can also run ipsec whack --listen when a native IP
(from ppp or dhcp) is removed from the system, and libreswan will
then detect it is gone and the connection should go down.

> 4. The client side doesn’t try to automatically reconnect once internet connectivity is up. I have the auto=start flag in ipsec.conf but
> it appears to auto start only when ipsec service is being started and not when it is already running.

See above? The whack commands will make it more aware of the IPs and
routes present and should do the right thing.

> I want the client to be always connected to the VPN server as long as it has internet connectivity. Is there a proper way to do it?

auto=start is the proper way.

Paul