[Swan] Problems with Initial Configuration

Paul Wouters paul at nohats.ca
Wed Nov 15 04:56:17 UTC 2017 

On Tue, 14 Nov 2017, Glenn Sams wrote:

> I've been attempting to get libreswan up and running on my home server. This was my first time setting up libreswan. I tired
> reading through a few different tutorials, but I could not get a client to connect.
> 
> I started by creating my CA
>     # ipsec initnss
>     # certutil -S -x -n "MyHome" -s "O=VPN,CN=MyHome" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2

I recommend keeping your CA outside of your ipsec nss store. So your "CA
store" generates a pkcs12 file and you only "ipsec import" the pkcs12
file into libreswan.

> conn xauth-rsa
>     authby=rsasig
>     pfs=no
>     auto=add
>     rekey=no
>     left=MyHome
>     leftcert=MyHome
>     leftid=%fromcert
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightca=%same
>     rightaddresspool=172.16.2.1-172.16.2.254
>     modecfgdns1=192.168.9.23
>     modecfgdns2=8.8.8.8
>     leftxauthserver=yes
>     rightxauthclient=yes
>     leftmodecfgserver=yes
>     rightmodecfgclient=yes
>     modecfgpull=yes
>     xauthby=pam
>     ike-frag=yes
> 
> 
> Now from here I went in and setup a new ShrewSoft Connection on my laptop (using the MYCA.crt for the Server Certificate Authority
> Field). I hot spotted to my cell phone so i wasn't testing on the same network as the server (which I've done to connect to the
> work Cisco ASA). Clicked Connect and after a few seconds I got a timeout warning.  So I doubled checked my iptables and I do have
> the ports (I know I have not set the nating, but i have not gotten that far yet):
> -A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT

Note you should allo any port to dport udp 500/4500 due to NAT boxes
changing the source port.


> -A INPUT -p esp -j ACCEPT
> -A INPUT -p ah -j ACCEPT
> -A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
> -A INPUT -p tcp -m tcp --sport 4500 --dport 4500 -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited

If you are a gateway between remote node and a local LAN, then
you need to FORWARD the post-decrypt and pre-encrypt packets,
so this rule is too tight.

> I then looked at the /var/log/pluto.log file and saw this https://pastebin.com/4cRJS1Df (given the length of the log file i just

 	Nov 14 15:35:41: packet from <client_ip>:500: initial Aggressive Mode
 	message from <client_ip> but no (wildcard) connection has been
 	configured with policy AGGRESSIVE+IKEV1_ALLOW

You are using Main Mode but the client is using Aggressive Mode. You can
disable aggressive mode on the client, or enable it on the server
(aggressive=yes). It gives you a little more privacy to NOT use
aggressive mode.

Paul

More information about the Swan mailing list