[Swan] LibreSwan 3.21 Client side ERROR using AWS (server side)
Paul Wouters
paul at nohats.ca
Fri Oct 27 02:07:03 UTC 2017
On Thu, 26 Oct 2017, Priyank Kumar wrote:
> HiFirst post, I setup the libreswan on my AWS instance and able to connect to it using my android phone. I couldnt get any tutorial on how to setup on Linux
> client side, after harvesting the net I tried following configuration.
Did you setup IPsec/L2TP or IKEv2 or IKEv1 XAUTH (Cisco IPsec) ?
> * My AWS side VPN server works fine with my phone, so I dont suspect that
>
> Issue 1: if the Linux PC side conf file has narrowing = no, then it gives error "myvpn": cannot initiate connection with narrowing=no and (kind=CK_TEMPLATE)
> Issue 2: There is no clear instruction how to start the VPN client, I am using
> ipsec auto --up myvpn or ipsec auto --start myvpn (this shows sometime success)
> Issue 3: If I do narrowing = yes, it fails by
Narrowing is only used for the ikev2 configuration.
> # Linux PC (Client side)
> /etc/ipsec.d/myvpn.conf
> conn myvpn
> left=%defaultroute
> right=<MyServerIP>
> narrowing=no
> encapsulation=yes
> authby=secret
> pfs=no
> rekey=no
> keyingtries=5
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
> phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
> sha2-truncbug=yes
> auto=add
> leftprotoport=17/1701
> rightprotoport=17/1701
> type=transport
> phase2=esp
This looks like L2TP/IPsec, so do not use narrowing then.
Do not use encpasulation= unless you need to override things normally
auto-detected.
> #AWS VPN server side conf file, this works with Android phone
>
> cat /etc/ipsec.conf
>
> version 2.0
>
>
> config setup
>
> virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
>
> protostack=netkey
>
> nhelpers=0
>
> interfaces=%defaultroute
>
> uniqueids=no
>
>
> conn shared
>
> left=%defaultroute
>
> leftid=<ServerIP>
>
> right=%any
>
> encapsulation=yes
>
> authby=secret
>
> pfs=no
>
> rekey=no
>
> keyingtries=5
>
> dpddelay=30
>
> dpdtimeout=120
>
> dpdaction=clear
>
> ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
>
> phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
>
> sha2-truncbug=yes
>
>
> conn l2tp-psk
>
> auto=add
>
> leftprotoport=17/1701
>
> rightprotoport=17/%any
>
> type=transport
>
> phase2=esp
>
> also=shared
>
>
> conn xauth-psk
>
> auto=add
>
> leftsubnet=0.0.0.0/0
>
> rightaddresspool=192.168.43.10-192.168.43.250
>
> modecfgdns1=8.8.8.8
>
> modecfgdns2=8.8.4.4
>
> leftxauthserver=yes
>
> rightxauthclient=yes
>
> leftmodecfgserver=yes
>
> rightmodecfgclient=yes
>
> modecfgpull=yes
>
> xauthby=file
>
> ike-frag=yes
>
> ikev2=never
>
> cisco-unity=yes
>
> also=shared
You have defined both XAUTH and L2TP/IPsec. I would recommend settling
on one solution. And strongly recommend ditching L2TP since android,
iOS and Linux can do XAUTH/IPsec fine.
For a client side config of XAUTH/IPsec, basically copy your server side
one. Or look at some of our testcases at
https://github.com/libreswan/libreswan/blob/master/testing/pluto/xauth-pluto-05/road.conf
I'll update our wiki soon to include a proper xauth libreswan client
configuration.
Paul
More information about the Swan
mailing list