[Swan] Libreswan as XAUTH client

[Qasim Bin Mehmood]

Greetings,

Thank you for the reply. I have tried adding separate connections for each user and it solves my first problem. As for the second problem I got around to it by delaying the start up of the ipsec service.

The third and forth problems however are still there. ipsec whack —listen does not remove the VPN configured ip from the interface and it doesn’t try to reconnect. Also the connection I have found is very unreliable. It would break frequently and won’t reconnect. I have set nat-keepalive to true. I have also set dpdaction to restart. But none of these options work. Is there a way to specify a retry interval? Following is the client side configuration.

> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>     nhelpers=1
>     protostack=netkey
>     interfaces=%defaultroute
> 
> conn xauth-psk
>     authby=secret
>     left=%defaultroute
>     leftxauthclient=yes
>     leftmodecfgclient=yes
>     leftxauthusername=username
>     modecfgpull=yes
>     right=example.com
>     rightsubnet=172.31.30.0/20
>     rightxauthserver=yes
>     rightmodecfgserver=yes
>     rekey=no
>     dpdaction=restart
>     dpdtimeout=120 
>     dpddelay=30
>     auto=start
>     ike_frag=yes
>     nat-keepalive=yes

Thanks & regards,

Qasim Mehmood



> On 04-Jul-2017, at 3:28 PM, Paul Wouters <paul at nohats.ca> wrote:
> 
> On Mon, 3 Jul 2017, Qasim Bin Mehmood wrote:
> 
>> I am using libreswan as an XAUTH client to another libreswan server for remote access VPN aka road warrior. A few things I’d like to
>> point out
>> 1. Is there a way to reserve an IP address for a client based on username? Server or client side?
> 
> Only by using a separate conn entry with separate IDs and a special 1 IP
> addresspool.
> 
>> 2. The client side doesn’t connect on machine startup and throws this error "We cannot identify ourselves with either end of this
>> connection.” It connects fine once I restart the ipsec service. I have read it’s because the ipsec service tries to connect before the
>> system has internet connectivity. Can we make the ipsec service to retry the identification automatically?
> 
> Seems like you are starting libreswan before your device obtained the IP
> configured or its default route. you can run ipsec whack --listen after
> obtaining connectivity (like in ppp-up or similar scripts run)
> 
>> 3. On the client side, if the connection drops but the interface stays up, e.g. ISP link goes down, it won’t release the VPN IP from its
>> interface. Any ideas?
> 
> Once the connection goes "down" it should remove the IP from the
> interface. Possibly libreswan does not "know yet" that the link
> is down? You can also run ipsec whack --listen when a native IP
> (from ppp or dhcp) is removed from the system, and libreswan will
> then detect it is gone and the connection should go down.
> 
>> 4. The client side doesn’t try to automatically reconnect once internet connectivity is up. I have the auto=start flag in ipsec.conf but
>> it appears to auto start only when ipsec service is being started and not when it is already running.
> 
> See above? The whack commands will make it more aware of the IPs and
> routes present and should do the right thing.
> 
>> I want the client to be always connected to the VPN server as long as it has internet connectivity. Is there a proper way to do it?
> 
> auto=start is the proper way.
> 
> Paul