[Swan] network-manager-libreswan and /etc/ipsec.d/passwd

Computerisms Corporation bob at computerisms.ca
Mon Jan 8 06:42:00 UTC 2018 

Hi Gurus,

I made it my mission this weekend to figure out how to get network 
manager on ubuntu to connect to a libreswan server, since the 
network-manager-libreswan isn't available in repos yet.  I did meet with 
success, but I had to set the xauthfail=soft to bypass the passwd file.

As I understand it, the network-manager-libreswan only supports 
xauth+ikev1+psk, so I configured my system as per the libreswan wiki. 
but every thing I tried met with failed authentication from the passwd 
file, specifically the log records bad username or passwd.

I used htpasswd utility to create the file.  I appended :rw-xauth-psk as 
derived by the conn name in ipsec.conf to the line.  I used the htpasswd 
-v utility (without the :rw-xauth-psk appended) to verify that it works. 
  file owned by root:root, chmod 640 just in case there is some 
permission restriction I didn't find documented.

I am not clear where the problem here could be.

The wiki explicity says the htpasswd can not be used to create the 
passwd file, but I found a mailing list post from a few months ago that 
says to use it, and my hash begins with $apr1$ as that example does. 
that post also suggests using grub-md5-crypt, but that program is not 
available on my system, and is only available through grub-legacy, which 
is a can of worms I didn't particularly want to argue with.

I also do not find any tools within libreswan to verify a password 
against the file.

I am also not 100% sure that the network manager is even sending the 
password, though the server log does indicate it is sending the correct 
username.  client side logs say cisco password is received, so 
presumably that means it dug it up and sent it, but doesn't explicitly 
say it sent it.

Based on another suggestion I found, I also tried putting:

@user: XAUTH "pass"

in my ipsec.secrets and removing the passwd file, but then logs 
complained the passwd file did not exist.

Also upgraded to latest 3.22.

So thinking I am overlooking something, must have failed to read 
something?  Any hints would be appreciated...
-- 
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
www.computerisms.ca

More information about the Swan mailing list