[Swan] Problems with Initial Configuration

[Paul Wouters]

On Wed, 15 Nov 2017, Glenn Sams wrote:

> For the CA, I understand the extra security in keeping it stored outside the 
> ipsec directory, but is it required? I only ask as this CA is only to be used 
> by home VPN and if I ever have to wipe and reload I would not mind no care to 
> recreating.

Ok, then it is fine I guess.

> As for the forward. That is just the default one place by the OS. I have not 
> gotten that far in setting up the firewall as I was still trying trying to 
> get a connection to the server established.

Ok.

> I also forgot to include in the original email. That when using Main mode I 
> do not see any connection attempts at all in the server and even tired it 
> with iptables shutdown.

If you don't see any traffic to port 500 or 4500 then the client didn't
attempt to reach you (or failed to reach you). Pluto will also ALWAYS
log a line saying "received XXX bytes from A.B.C.D" regardless of the
content and before it has read the packet's data. There is no difference
in this behaviour between ikev1 main/aggrmode or ikev2.

> Only in Aggressive mode does libreswan notice the connection.

Then only in that mode did the client send a packet.

> aggressive=yes also did not seem to be a valid option

In older versions it is aggrmode=, never versions use aggressive= but
still accept the old keyword.

> reading through the wiki for libreswan for the type of connection i wanted to 
> use. They only used the aggrmode on the client side and not the server side.
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates

It is better to use main mode if possible. If you run multiple different
groups of connections that need a different matching connection on the
server (eg different certs, server ID, etc) then for IKEv1 you must use
aggrmode, but in that case we would recommend using IKEv2 instead.

Paul