[Swan] LibreSwan 3.21 Client side ERROR using AWS (server side)

Priyank Kumar priyank.guddu at gmail.com
Thu Oct 26 09:21:48 UTC 2017 

Hi
First post, I setup the libreswan on my AWS instance and able to connect to
it using my android phone. I couldnt get any tutorial on how to setup on
Linux client side, after harvesting the net I tried following
configuration.

* My AWS side VPN server works fine with my phone, so I dont suspect that

*Issue 1*: if the Linux PC side conf file has narrowing = no, then it gives
error "myvpn": cannot initiate connection with narrowing=no and
(kind=CK_TEMPLATE)
Issue 2: There is no clear instruction how to start the VPN client, I am
using
ipsec auto --up myvpn or ipsec auto --start myvpn (this shows sometime
success)
Issue 3: If I do narrowing = yes, it fails by



# Linux PC (Client side)
/etc/ipsec.d/myvpn.conf
conn myvpn
        left=%defaultroute
        right=<MyServerIP>
        narrowing=no
        encapsulation=yes
        authby=secret
        pfs=no
        rekey=no
        keyingtries=5
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear

ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
        phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
        sha2-truncbug=yes
        auto=add
        leftprotoport=17/1701
        rightprotoport=17/1701
        type=transport
        phase2=esp

*#AWS VPN server side conf file, this works with Android phone *

cat /etc/ipsec.conf

version 2.0

config setup

 virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!
192.168.42.0/24,%v4:!192.168.43.0/24

 protostack=netkey

 nhelpers=0

 interfaces=%defaultroute

 uniqueids=no

conn shared

 left=%defaultroute

 leftid=<ServerIP>

 right=%any

 encapsulation=yes

 authby=secret

 pfs=no

 rekey=no

 keyingtries=5

 dpddelay=30

 dpdtimeout=120

 dpdaction=clear

 ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;
modp1024,aes256-sha2_512

 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512

 sha2-truncbug=yes

conn l2tp-psk

 auto=add

 leftprotoport=17/1701

 rightprotoport=17/%any

 type=transport

 phase2=esp

 also=shared

conn xauth-psk

 auto=add

 leftsubnet=0.0.0.0/0

 rightaddresspool=192.168.43.10-192.168.43.250

 modecfgdns1=8.8.8.8

 modecfgdns2=8.8.4.4

 leftxauthserver=yes

 rightxauthclient=yes

 leftmodecfgserver=yes

 rightmodecfgclient=yes

 modecfgpull=yes

 xauthby=file

 ike-frag=yes

 ikev2=never

 cisco-unity=yes

 also=shared
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171026/f3c1063d/attachment-0001.html>

More information about the Swan mailing list