[Swan] Problems with Initial Configuration
Glenn Sams
glenn at hpaptechnologies.com
Wed Nov 15 16:49:47 UTC 2017
For the CA, I understand the extra security in keeping it stored outside
the ipsec directory, but is it required? I only ask as this CA is only
to be used by home VPN and if I ever have to wipe and reload I would not
mind no care to recreating.
I thought I had remove the -sport from the iptables commands. My mistake
there.
As for the forward. That is just the default one place by the OS. I have
not gotten that far in setting up the firewall as I was still trying
trying to get a connection to the server established. I know I would
have to remove line and add in something like:
iptables -t nat -I POSTROUTING -s 172.16.2.0/24 -d 192.168.9.0/24 -j
RETURN
iptables -t nat -A POSTROUTING -s 172.16.2.0/24 -d 0.0.0.0/8 -j
MASQUERADE
I also forgot to include in the original email. That when using Main
mode I do not see any connection attempts at all in the server and even
tired it with iptables shutdown. With or without iptables turned on when
in Main Mode i see the requests coming in via TCPDUMP, but libreswan
doesn't seem to register them. Only in Aggressive mode does libreswan
notice the connection.
11:11:21.187284 IP <client_host>.isakmp > <server_host>.isakmp: isakmp:
phase 1 I ident
aggressive=yes also did not seem to be a valid option. So i looked at
the ipsec.conf.5 manual and saw aggrmode was the parameter name. However
when I reading through the wiki for libreswan for the type of connection
i wanted to use. They only used the aggrmode on the client side and not
the server side.
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates
Whats funny about the line you point out. When you look at the out of
`ipsec status` you can see:
000 "xauth-rsa": policy:
RSASIG+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
------ Original Message ------
From: "Paul Wouters" <paul at nohats.ca>
To: "Glenn Sams" <glenn at hpaptechnologies.com>
Cc: swan at lists.libreswan.org
Sent: 11/14/2017 11:56:17 PM
Subject: Re: [Swan] Problems with Initial Configuration
>On Tue, 14 Nov 2017, Glenn Sams wrote:
>
>>I've been attempting to get libreswan up and running on my home
>>server. This was my first time setting up libreswan. I tired
>>reading through a few different tutorials, but I could not get a
>>client to connect.
>>
>>I started by creating my CA
>> # ipsec initnss
>> # certutil -S -x -n "MyHome" -s "O=VPN,CN=MyHome" -k rsa -g 4096
>>-v 36 -d sql:/etc/ipsec.d -t "CT,," -2
>
>I recommend keeping your CA outside of your ipsec nss store. So your
>"CA
>store" generates a pkcs12 file and you only "ipsec import" the pkcs12
>file into libreswan.
>
>>conn xauth-rsa
>> authby=rsasig
>> pfs=no
>> auto=add
>> rekey=no
>> left=MyHome
>> leftcert=MyHome
>> leftid=%fromcert
>> leftsendcert=always
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightca=%same
>> rightaddresspool=172.16.2.1-172.16.2.254
>> modecfgdns1=192.168.9.23
>> modecfgdns2=8.8.8.8
>> leftxauthserver=yes
>> rightxauthclient=yes
>> leftmodecfgserver=yes
>> rightmodecfgclient=yes
>> modecfgpull=yes
>> xauthby=pam
>> ike-frag=yes
>>
>>
>>Now from here I went in and setup a new ShrewSoft Connection on my
>>laptop (using the MYCA.crt for the Server Certificate Authority
>>Field). I hot spotted to my cell phone so i wasn't testing on the same
>>network as the server (which I've done to connect to the
>>work Cisco ASA). Clicked Connect and after a few seconds I got a
>>timeout warning. So I doubled checked my iptables and I do have
>>the ports (I know I have not set the nating, but i have not gotten
>>that far yet):
>>-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
>
>Note you should allo any port to dport udp 500/4500 due to NAT boxes
>changing the source port.
>
>
>>-A INPUT -p esp -j ACCEPT
>>-A INPUT -p ah -j ACCEPT
>>-A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
>>-A INPUT -p tcp -m tcp --sport 4500 --dport 4500 -j ACCEPT
>>-A FORWARD -j REJECT --reject-with icmp-host-prohibited
>
>If you are a gateway between remote node and a local LAN, then
>you need to FORWARD the post-decrypt and pre-encrypt packets,
>so this rule is too tight.
>
>>I then looked at the /var/log/pluto.log file and saw this
>>https://pastebin.com/4cRJS1Df (given the length of the log file i just
>
> Nov 14 15:35:41: packet from <client_ip>:500: initial Aggressive Mode
> message from <client_ip> but no (wildcard) connection has been
> configured with policy AGGRESSIVE+IKEV1_ALLOW
>
>You are using Main Mode but the client is using Aggressive Mode. You
>can
>disable aggressive mode on the client, or enable it on the server
>(aggressive=yes). It gives you a little more privacy to NOT use
>aggressive mode.
>
>Paul
>
More information about the Swan
mailing list