[Swan] Problems with Initial Configuration
Paul Wouters
paul at nohats.ca
Wed Nov 15 04:56:17 UTC 2017
On Tue, 14 Nov 2017, Glenn Sams wrote:
> I've been attempting to get libreswan up and running on my home server. This was my first time setting up libreswan. I tired
> reading through a few different tutorials, but I could not get a client to connect.
>
> I started by creating my CA
> # ipsec initnss
> # certutil -S -x -n "MyHome" -s "O=VPN,CN=MyHome" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2
I recommend keeping your CA outside of your ipsec nss store. So your "CA
store" generates a pkcs12 file and you only "ipsec import" the pkcs12
file into libreswan.
> conn xauth-rsa
> authby=rsasig
> pfs=no
> auto=add
> rekey=no
> left=MyHome
> leftcert=MyHome
> leftid=%fromcert
> leftsendcert=always
> leftsubnet=0.0.0.0/0
> right=%any
> rightca=%same
> rightaddresspool=172.16.2.1-172.16.2.254
> modecfgdns1=192.168.9.23
> modecfgdns2=8.8.8.8
> leftxauthserver=yes
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> xauthby=pam
> ike-frag=yes
>
>
> Now from here I went in and setup a new ShrewSoft Connection on my laptop (using the MYCA.crt for the Server Certificate Authority
> Field). I hot spotted to my cell phone so i wasn't testing on the same network as the server (which I've done to connect to the
> work Cisco ASA). Clicked Connect and after a few seconds I got a timeout warning. So I doubled checked my iptables and I do have
> the ports (I know I have not set the nating, but i have not gotten that far yet):
> -A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
Note you should allo any port to dport udp 500/4500 due to NAT boxes
changing the source port.
> -A INPUT -p esp -j ACCEPT
> -A INPUT -p ah -j ACCEPT
> -A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
> -A INPUT -p tcp -m tcp --sport 4500 --dport 4500 -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
If you are a gateway between remote node and a local LAN, then
you need to FORWARD the post-decrypt and pre-encrypt packets,
so this rule is too tight.
> I then looked at the /var/log/pluto.log file and saw this https://pastebin.com/4cRJS1Df (given the length of the log file i just
Nov 14 15:35:41: packet from <client_ip>:500: initial Aggressive Mode
message from <client_ip> but no (wildcard) connection has been
configured with policy AGGRESSIVE+IKEV1_ALLOW
You are using Main Mode but the client is using Aggressive Mode. You can
disable aggressive mode on the client, or enable it on the server
(aggressive=yes). It gives you a little more privacy to NOT use
aggressive mode.
Paul
More information about the Swan
mailing list