[Swan] LibreSwan 3.21 Client side ERROR using AWS (server side)

Priyank Kumar priyank.guddu at gmail.com
Fri Oct 27 06:32:08 UTC 2017 

Thanks Paul.

Since this was my first post, I should be posting more details, but finally
I got it working after posting on the mailing list
My setup -> IPSEC L2TP/ PSK, so it doesn't need narrowing.
For the server side I used the post
https://github.com/hwdsl2/setup-ipsec-vpn which automates the setup for
AWS, this is a great post for a newbie which does all setup and gives u the
PSK/Username/Password and IP to connect.

Mistake I did was while starting and adding the connection I was suing the
openswan steps, right steps that I used are:

1)ADD connection

~# ipsec addconn myvpn

002 "myvpn": deleting non-instance connection

002 added connection description "myvpn"

2) Restart the ipsec and xl2tp connection

:~# /etc/init.d/ipsec restart

[ ok ] Restarting ipsec (via systemctl): ipsec.service.

# /etc/init.d/xl2tpd restart

[ ok ] Restarting xl2tpd (via systemctl): xl2tpd.service.

3) Start the IPSEC L2TP -PSK connection

# ipsec auto --start myvpn

4) Now we have to add adaptor using xl2tp for PPP to be up and you get an IP

echo "c myvpn" > /var/run/xl2tpd/l2tp-control
This finally gave me the right PPP with right local IP.

It would be a great help if wiki is update with both side config and how to
start the client side connection. I was referring to your slide deck at
https://datatracker.ietf.org/meeting/interim-2017-i2nsf-01/materials/slides-interim-2017-i2nsf-01-sessa-ipsec-vpn-deployments-paul-wouters/

Where you mentioned about following, do we have a sample config on both
which I could test. I am doing on my embedded ARM gateway with integrated
MODEM.

   - FULL MESH ENCRYPTION
   - OPPORTUNISTIC IPSEC GATEWAY

PK



On Thu, Oct 26, 2017 at 7:07 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 26 Oct 2017, Priyank Kumar wrote:
>
> HiFirst post, I setup the libreswan on my AWS instance and able to connect
>> to it using my android phone. I couldnt get any tutorial on how to setup on
>> Linux
>> client side, after harvesting the net I tried following configuration.
>>
>
> Did you setup IPsec/L2TP or IKEv2 or IKEv1 XAUTH (Cisco IPsec) ?
>
> * My AWS side VPN server works fine with my phone, so I dont suspect that
>>
>> Issue 1: if the Linux PC side conf file has narrowing = no, then it gives
>> error "myvpn": cannot initiate connection with narrowing=no and
>> (kind=CK_TEMPLATE)
>> Issue 2: There is no clear instruction how to start the VPN client, I am
>> using
>> ipsec auto --up myvpn or ipsec auto --start myvpn (this shows sometime
>> success)
>> Issue 3: If I do narrowing = yes, it fails by
>>
>
> Narrowing is only used for the ikev2 configuration.
>
> # Linux PC (Client side)
>> /etc/ipsec.d/myvpn.conf
>> conn myvpn
>>         left=%defaultroute
>>         right=<MyServerIP>
>>         narrowing=no
>>         encapsulation=yes
>>         authby=secret
>>         pfs=no
>>         rekey=no
>>         keyingtries=5
>>         dpddelay=30
>>         dpdtimeout=120
>>         dpdaction=clear
>>         ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,
>> aes-sha2;modp1024,aes256-sha2_512
>>         phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
>>         sha2-truncbug=yes
>>         auto=add
>>         leftprotoport=17/1701
>>         rightprotoport=17/1701
>>         type=transport
>>         phase2=esp
>>
>
> This looks like L2TP/IPsec, so do not use narrowing then.
>
> Do not use encpasulation= unless you need to override things normally
> auto-detected.
>
>
> #AWS VPN server side conf file, this works with Android phone
>>
>> cat /etc/ipsec.conf
>>
>> version 2.0
>>
>>
>> config setup
>>
>>  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.1
>> 6.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
>>
>>  protostack=netkey
>>
>>  nhelpers=0
>>
>>  interfaces=%defaultroute
>>
>>  uniqueids=no
>>
>>
>> conn shared
>>
>>  left=%defaultroute
>>
>>  leftid=<ServerIP>
>>
>>  right=%any
>>
>>  encapsulation=yes
>>
>>  authby=secret
>>
>>  pfs=no
>>
>>  rekey=no
>>
>>  keyingtries=5
>>
>>  dpddelay=30
>>
>>  dpdtimeout=120
>>
>>  dpdaction=clear
>>
>>  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2
>> ,aes-sha2;modp1024,aes256-sha2_512
>>
>>  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
>>
>>  sha2-truncbug=yes
>>
>>
>> conn l2tp-psk
>>
>>  auto=add
>>
>>  leftprotoport=17/1701
>>
>>  rightprotoport=17/%any
>>
>>  type=transport
>>
>>  phase2=esp
>>
>>  also=shared
>>
>>
>> conn xauth-psk
>>
>>  auto=add
>>
>>  leftsubnet=0.0.0.0/0
>>
>>  rightaddresspool=192.168.43.10-192.168.43.250
>>
>>  modecfgdns1=8.8.8.8
>>
>>  modecfgdns2=8.8.4.4
>>
>>  leftxauthserver=yes
>>
>>  rightxauthclient=yes
>>
>>  leftmodecfgserver=yes
>>
>>  rightmodecfgclient=yes
>>
>>  modecfgpull=yes
>>
>>  xauthby=file
>>
>>  ike-frag=yes
>>
>>  ikev2=never
>>
>>  cisco-unity=yes
>>
>>  also=shared
>>
>
>
> You have defined both XAUTH and L2TP/IPsec. I would recommend settling
> on one solution. And strongly recommend ditching L2TP since android,
> iOS and Linux can do XAUTH/IPsec fine.
>
> For a client side config of XAUTH/IPsec, basically copy your server side
> one. Or look at some of our testcases at
>
> https://github.com/libreswan/libreswan/blob/master/testing/p
> luto/xauth-pluto-05/road.conf
>
> I'll update our wiki soon to include a proper xauth libreswan client
> configuration.
>
> Paul
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171026/541da377/attachment.html>

More information about the Swan mailing list