[Swan] LibreSwan 3.21 Client side ERROR using AWS (server side)
Priyank Kumar
priyank.guddu at gmail.com
Fri Oct 27 06:32:08 UTC 2017
Thanks Paul.
Since this was my first post, I should be posting more details, but finally
I got it working after posting on the mailing list
My setup -> IPSEC L2TP/ PSK, so it doesn't need narrowing.
For the server side I used the post
https://github.com/hwdsl2/setup-ipsec-vpn which automates the setup for
AWS, this is a great post for a newbie which does all setup and gives u the
PSK/Username/Password and IP to connect.
Mistake I did was while starting and adding the connection I was suing the
openswan steps, right steps that I used are:
1)ADD connection
~# ipsec addconn myvpn
002 "myvpn": deleting non-instance connection
002 added connection description "myvpn"
2) Restart the ipsec and xl2tp connection
:~# /etc/init.d/ipsec restart
[ ok ] Restarting ipsec (via systemctl): ipsec.service.
# /etc/init.d/xl2tpd restart
[ ok ] Restarting xl2tpd (via systemctl): xl2tpd.service.
3) Start the IPSEC L2TP -PSK connection
# ipsec auto --start myvpn
4) Now we have to add adaptor using xl2tp for PPP to be up and you get an IP
echo "c myvpn" > /var/run/xl2tpd/l2tp-control
This finally gave me the right PPP with right local IP.
It would be a great help if wiki is update with both side config and how to
start the client side connection. I was referring to your slide deck at
https://datatracker.ietf.org/meeting/interim-2017-i2nsf-01/materials/slides-interim-2017-i2nsf-01-sessa-ipsec-vpn-deployments-paul-wouters/
Where you mentioned about following, do we have a sample config on both
which I could test. I am doing on my embedded ARM gateway with integrated
MODEM.
- FULL MESH ENCRYPTION
- OPPORTUNISTIC IPSEC GATEWAY
PK
On Thu, Oct 26, 2017 at 7:07 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 26 Oct 2017, Priyank Kumar wrote:
>
> HiFirst post, I setup the libreswan on my AWS instance and able to connect
>> to it using my android phone. I couldnt get any tutorial on how to setup on
>> Linux
>> client side, after harvesting the net I tried following configuration.
>>
>
> Did you setup IPsec/L2TP or IKEv2 or IKEv1 XAUTH (Cisco IPsec) ?
>
> * My AWS side VPN server works fine with my phone, so I dont suspect that
>>
>> Issue 1: if the Linux PC side conf file has narrowing = no, then it gives
>> error "myvpn": cannot initiate connection with narrowing=no and
>> (kind=CK_TEMPLATE)
>> Issue 2: There is no clear instruction how to start the VPN client, I am
>> using
>> ipsec auto --up myvpn or ipsec auto --start myvpn (this shows sometime
>> success)
>> Issue 3: If I do narrowing = yes, it fails by
>>
>
> Narrowing is only used for the ikev2 configuration.
>
> # Linux PC (Client side)
>> /etc/ipsec.d/myvpn.conf
>> conn myvpn
>> left=%defaultroute
>> right=<MyServerIP>
>> narrowing=no
>> encapsulation=yes
>> authby=secret
>> pfs=no
>> rekey=no
>> keyingtries=5
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=clear
>> ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,
>> aes-sha2;modp1024,aes256-sha2_512
>> phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
>> sha2-truncbug=yes
>> auto=add
>> leftprotoport=17/1701
>> rightprotoport=17/1701
>> type=transport
>> phase2=esp
>>
>
> This looks like L2TP/IPsec, so do not use narrowing then.
>
> Do not use encpasulation= unless you need to override things normally
> auto-detected.
>
>
> #AWS VPN server side conf file, this works with Android phone
>>
>> cat /etc/ipsec.conf
>>
>> version 2.0
>>
>>
>> config setup
>>
>> virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.1
>> 6.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
>>
>> protostack=netkey
>>
>> nhelpers=0
>>
>> interfaces=%defaultroute
>>
>> uniqueids=no
>>
>>
>> conn shared
>>
>> left=%defaultroute
>>
>> leftid=<ServerIP>
>>
>> right=%any
>>
>> encapsulation=yes
>>
>> authby=secret
>>
>> pfs=no
>>
>> rekey=no
>>
>> keyingtries=5
>>
>> dpddelay=30
>>
>> dpdtimeout=120
>>
>> dpdaction=clear
>>
>> ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2
>> ,aes-sha2;modp1024,aes256-sha2_512
>>
>> phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
>>
>> sha2-truncbug=yes
>>
>>
>> conn l2tp-psk
>>
>> auto=add
>>
>> leftprotoport=17/1701
>>
>> rightprotoport=17/%any
>>
>> type=transport
>>
>> phase2=esp
>>
>> also=shared
>>
>>
>> conn xauth-psk
>>
>> auto=add
>>
>> leftsubnet=0.0.0.0/0
>>
>> rightaddresspool=192.168.43.10-192.168.43.250
>>
>> modecfgdns1=8.8.8.8
>>
>> modecfgdns2=8.8.4.4
>>
>> leftxauthserver=yes
>>
>> rightxauthclient=yes
>>
>> leftmodecfgserver=yes
>>
>> rightmodecfgclient=yes
>>
>> modecfgpull=yes
>>
>> xauthby=file
>>
>> ike-frag=yes
>>
>> ikev2=never
>>
>> cisco-unity=yes
>>
>> also=shared
>>
>
>
> You have defined both XAUTH and L2TP/IPsec. I would recommend settling
> on one solution. And strongly recommend ditching L2TP since android,
> iOS and Linux can do XAUTH/IPsec fine.
>
> For a client side config of XAUTH/IPsec, basically copy your server side
> one. Or look at some of our testcases at
>
> https://github.com/libreswan/libreswan/blob/master/testing/p
> luto/xauth-pluto-05/road.conf
>
> I'll update our wiki soon to include a proper xauth libreswan client
> configuration.
>
> Paul
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171026/541da377/attachment.html>
More information about the Swan
mailing list