[Swan] network-manager-libreswan and /etc/ipsec.d/passwd
Computerisms Corporation
bob at computerisms.ca
Mon Jan 8 06:42:00 UTC 2018
Hi Gurus,
I made it my mission this weekend to figure out how to get network
manager on ubuntu to connect to a libreswan server, since the
network-manager-libreswan isn't available in repos yet. I did meet with
success, but I had to set the xauthfail=soft to bypass the passwd file.
As I understand it, the network-manager-libreswan only supports
xauth+ikev1+psk, so I configured my system as per the libreswan wiki.
but every thing I tried met with failed authentication from the passwd
file, specifically the log records bad username or passwd.
I used htpasswd utility to create the file. I appended :rw-xauth-psk as
derived by the conn name in ipsec.conf to the line. I used the htpasswd
-v utility (without the :rw-xauth-psk appended) to verify that it works.
file owned by root:root, chmod 640 just in case there is some
permission restriction I didn't find documented.
I am not clear where the problem here could be.
The wiki explicity says the htpasswd can not be used to create the
passwd file, but I found a mailing list post from a few months ago that
says to use it, and my hash begins with $apr1$ as that example does.
that post also suggests using grub-md5-crypt, but that program is not
available on my system, and is only available through grub-legacy, which
is a can of worms I didn't particularly want to argue with.
I also do not find any tools within libreswan to verify a password
against the file.
I am also not 100% sure that the network manager is even sending the
password, though the server log does indicate it is sending the correct
username. client side logs say cisco password is received, so
presumably that means it dug it up and sent it, but doesn't explicitly
say it sent it.
Based on another suggestion I found, I also tried putting:
@user: XAUTH "pass"
in my ipsec.secrets and removing the passwd file, but then logs
complained the passwd file did not exist.
Also upgraded to latest 3.22.
So thinking I am overlooking something, must have failed to read
something? Any hints would be appreciated...
--
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
www.computerisms.ca
More information about the Swan
mailing list