[Swan] Problems with Initial Configuration

Glenn Sams glenn at hpaptechnologies.com
Tue Nov 14 21:26:48 UTC 2017


Hello,

I've been attempting to get libreswan up and running on my home server. 
This was my first time setting up libreswan. I tired reading through a 
few different tutorials, but I could not get a client to connect.

I started by creating my CA
     # ipsec initnss
     # certutil -S -x -n "MyHome" -s "O=VPN,CN=MyHome" -k rsa -g 4096 -v 
36 -d sql:/etc/ipsec.d -t "CT,," -2

I then exported out the public key for the CA
     # certutil -L -n "MyHome" -d sql:/etc/ipsec.d/ -a > MYCA.crt

Next I setup my ipsec config:
# libreswan /etc/ipsec.conf configuration file
config setup
   protostack=netkey
   
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
   logfile=/var/log/pluto.log

conn xauth-rsa
     authby=rsasig
     pfs=no
     auto=add
     rekey=no
     left=MyHome
     leftcert=MyHome
     leftid=%fromcert
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     right=%any
     rightca=%same
     rightaddresspool=172.16.2.1-172.16.2.254
     modecfgdns1=192.168.9.23
     modecfgdns2=8.8.8.8
     leftxauthserver=yes
     rightxauthclient=yes
     leftmodecfgserver=yes
     rightmodecfgclient=yes
     modecfgpull=yes
     xauthby=pam
     ike-frag=yes


Now from here I went in and setup a new ShrewSoft Connection on my 
laptop (using the MYCA.crt for the Server Certificate Authority Field). 
I hot spotted to my cell phone so i wasn't testing on the same network 
as the server (which I've done to connect to the work Cisco ASA). 
Clicked Connect and after a few seconds I got a timeout warning.  So I 
doubled checked my iptables and I do have the ports (I know I have not 
set the nating, but i have not gotten that far yet):
-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 4500 --dport 4500 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT

I then looked at the /var/log/pluto.log file and saw this 
https://pastebin.com/4cRJS1Df (given the length of the log file i just 
put it in paste bin since I was unsure an attachment would go through).  
While looking through it i did notice "certificate not loaded for this 
end" but i'm not sure if that is the cause of the problems or some other 
item. As the xauth-rsa configuration has been loaded yet at that point 
(if I understand the flow of the log file).


I've started over deleting all the configs and Certs several times. I am 
really unsure where along this path I actually messed up at. So i'm 
wondering if anyone sees anything i did wrong or could point me to some 
further documentation I can review.

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171114/952566c8/attachment.html>


More information about the Swan mailing list