[Swan] network-manager-libreswan and /etc/ipsec.d/passwd

Paul Wouters paul at nohats.ca
Mon Jan 8 22:32:06 UTC 2018


On Sun, 7 Jan 2018, Computerisms Corporation wrote:

> I made it my mission this weekend to figure out how to get network manager on 
> ubuntu to connect to a libreswan server, since the network-manager-libreswan 
> isn't available in repos yet.  I did meet with success, but I had to set the 
> xauthfail=soft to bypass the passwd file.
>
> As I understand it, the network-manager-libreswan only supports 
> xauth+ikev1+psk, so I configured my system as per the libreswan wiki. but 
> every thing I tried met with failed authentication from the passwd file, 
> specifically the log records bad username or passwd.
>
> I used htpasswd utility to create the file.  I appended :rw-xauth-psk as 
> derived by the conn name in ipsec.conf to the line.  I used the htpasswd -v 
> utility (without the :rw-xauth-psk appended) to verify that it works.  file 
> owned by root:root, chmod 640 just in case there is some permission 
> restriction I didn't find documented.

It should work. Some older selinux policies prevented some pam lookups
from working but not passwd lookups. But in case you are running with
selinux in enforced mode, run restorecon /etc/ipsec.d/passwd

> So thinking I am overlooking something, must have failed to read something? 
> Any hints would be appreciated...

I would enable plutodebug="all,private" and rerun, and look on the
server side what's happening.

Paul


More information about the Swan mailing list