[Swan] Problems with Initial Configuration
Glenn Sams
glenn at hpaptechnologies.com
Tue Nov 14 21:26:48 UTC 2017
Hello,
I've been attempting to get libreswan up and running on my home server.
This was my first time setting up libreswan. I tired reading through a
few different tutorials, but I could not get a client to connect.
I started by creating my CA
# ipsec initnss
# certutil -S -x -n "MyHome" -s "O=VPN,CN=MyHome" -k rsa -g 4096 -v
36 -d sql:/etc/ipsec.d -t "CT,," -2
I then exported out the public key for the CA
# certutil -L -n "MyHome" -d sql:/etc/ipsec.d/ -a > MYCA.crt
Next I setup my ipsec config:
# libreswan /etc/ipsec.conf configuration file
config setup
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
logfile=/var/log/pluto.log
conn xauth-rsa
authby=rsasig
pfs=no
auto=add
rekey=no
left=MyHome
leftcert=MyHome
leftid=%fromcert
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightca=%same
rightaddresspool=172.16.2.1-172.16.2.254
modecfgdns1=192.168.9.23
modecfgdns2=8.8.8.8
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=pam
ike-frag=yes
Now from here I went in and setup a new ShrewSoft Connection on my
laptop (using the MYCA.crt for the Server Certificate Authority Field).
I hot spotted to my cell phone so i wasn't testing on the same network
as the server (which I've done to connect to the work Cisco ASA).
Clicked Connect and after a few seconds I got a timeout warning. So I
doubled checked my iptables and I do have the ports (I know I have not
set the nating, but i have not gotten that far yet):
-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 4500 --dport 4500 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
I then looked at the /var/log/pluto.log file and saw this
https://pastebin.com/4cRJS1Df (given the length of the log file i just
put it in paste bin since I was unsure an attachment would go through).
While looking through it i did notice "certificate not loaded for this
end" but i'm not sure if that is the cause of the problems or some other
item. As the xauth-rsa configuration has been loaded yet at that point
(if I understand the flow of the log file).
I've started over deleting all the configs and Certs several times. I am
really unsure where along this path I actually messed up at. So i'm
wondering if anyone sees anything i did wrong or could point me to some
further documentation I can review.
Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171114/952566c8/attachment.html>
More information about the Swan
mailing list