[Swan] Problems with Initial Configuration

Glenn Sams glenn at hpaptechnologies.com
Wed Nov 15 16:49:47 UTC 2017 

For the CA, I understand the extra security in keeping it stored outside 
the ipsec directory, but is it required? I only ask as this CA is only 
to be used by home VPN and if I ever have to wipe and reload I would not 
mind no care to recreating.

I thought I had remove the -sport from the iptables commands. My mistake 
there.

As for the forward. That is just the default one place by the OS. I have 
not gotten that far in setting up the firewall as I was still trying 
trying to get a connection to the server established. I know I would 
have to remove line and add in something like:
iptables -t nat -I POSTROUTING -s 172.16.2.0/24 -d 192.168.9.0/24 -j 
RETURN
iptables -t nat -A POSTROUTING -s 172.16.2.0/24 -d 0.0.0.0/8 -j 
MASQUERADE

I also forgot to include in the original email. That when using Main 
mode I do not see any connection attempts at all in the server and even 
tired it with iptables shutdown. With or without iptables turned on when 
in Main Mode i see the requests coming in via TCPDUMP, but libreswan 
doesn't seem to register them. Only in Aggressive mode does libreswan 
notice the connection.
11:11:21.187284 IP <client_host>.isakmp > <server_host>.isakmp: isakmp: 
phase 1 I ident

aggressive=yes also did not seem to be a valid option. So i looked at 
the ipsec.conf.5 manual and saw aggrmode was the parameter name. However 
when I reading through the wiki for libreswan for the type of connection 
i wanted to use. They only used the aggrmode on the client side and not 
the server side.
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates

Whats funny about the line you point out. When you look at the out of 
`ipsec status` you can see:
000 "xauth-rsa": policy: 
RSASIG+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;


------ Original Message ------
From: "Paul Wouters" <paul at nohats.ca>
To: "Glenn Sams" <glenn at hpaptechnologies.com>
Cc: swan at lists.libreswan.org
Sent: 11/14/2017 11:56:17 PM
Subject: Re: [Swan] Problems with Initial Configuration

>On Tue, 14 Nov 2017, Glenn Sams wrote:
>
>>I've been attempting to get libreswan up and running on my home 
>>server. This was my first time setting up libreswan. I tired
>>reading through a few different tutorials, but I could not get a 
>>client to connect.
>>
>>I started by creating my CA
>>     # ipsec initnss
>>     # certutil -S -x -n "MyHome" -s "O=VPN,CN=MyHome" -k rsa -g 4096 
>>-v 36 -d sql:/etc/ipsec.d -t "CT,," -2
>
>I recommend keeping your CA outside of your ipsec nss store. So your 
>"CA
>store" generates a pkcs12 file and you only "ipsec import" the pkcs12
>file into libreswan.
>
>>conn xauth-rsa
>>     authby=rsasig
>>     pfs=no
>>     auto=add
>>     rekey=no
>>     left=MyHome
>>     leftcert=MyHome
>>     leftid=%fromcert
>>     leftsendcert=always
>>     leftsubnet=0.0.0.0/0
>>     right=%any
>>     rightca=%same
>>     rightaddresspool=172.16.2.1-172.16.2.254
>>     modecfgdns1=192.168.9.23
>>     modecfgdns2=8.8.8.8
>>     leftxauthserver=yes
>>     rightxauthclient=yes
>>     leftmodecfgserver=yes
>>     rightmodecfgclient=yes
>>     modecfgpull=yes
>>     xauthby=pam
>>     ike-frag=yes
>>
>>
>>Now from here I went in and setup a new ShrewSoft Connection on my 
>>laptop (using the MYCA.crt for the Server Certificate Authority
>>Field). I hot spotted to my cell phone so i wasn't testing on the same 
>>network as the server (which I've done to connect to the
>>work Cisco ASA). Clicked Connect and after a few seconds I got a 
>>timeout warning.  So I doubled checked my iptables and I do have
>>the ports (I know I have not set the nating, but i have not gotten 
>>that far yet):
>>-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
>
>Note you should allo any port to dport udp 500/4500 due to NAT boxes
>changing the source port.
>
>
>>-A INPUT -p esp -j ACCEPT
>>-A INPUT -p ah -j ACCEPT
>>-A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
>>-A INPUT -p tcp -m tcp --sport 4500 --dport 4500 -j ACCEPT
>>-A FORWARD -j REJECT --reject-with icmp-host-prohibited
>
>If you are a gateway between remote node and a local LAN, then
>you need to FORWARD the post-decrypt and pre-encrypt packets,
>so this rule is too tight.
>
>>I then looked at the /var/log/pluto.log file and saw this 
>>https://pastebin.com/4cRJS1Df (given the length of the log file i just
>
>	Nov 14 15:35:41: packet from <client_ip>:500: initial Aggressive Mode
>	message from <client_ip> but no (wildcard) connection has been
>	configured with policy AGGRESSIVE+IKEV1_ALLOW
>
>You are using Main Mode but the client is using Aggressive Mode. You 
>can
>disable aggressive mode on the client, or enable it on the server
>(aggressive=yes). It gives you a little more privacy to NOT use
>aggressive mode.
>
>Paul
>

More information about the Swan mailing list