[Swan] net-to-net for road warriors

Alex mysqlstudent at gmail.com
Wed Jan 23 22:06:08 UTC 2019


> note, i would remove the empty lines to prevent possible confusion with
> the config parser thinking a new section is starting.
> > # ipsec auto --up wyckofftun
> > 029 "wyckofftun": cannot initiate connection without knowing peer IP
> You cannot use right=%any and left=%defaultroute, as then libreswan
> cannot determine whether it is supposed to be "right" or "left".

Then when should it be used?

> Regardless, if you initiate, you must know the remote endpoint's DNS
> name or IP address. If one endpoint is behind NAT, only that endpoint
> can initiate. Unless it is behind a NAT that does port forwarding, in
> wich case your right= should be the hostname or IP address of the NAT
> device.

The endpoint is not behind NAT. It is laptops and desktops and phones
connected to the remote VPN gateway on a private network with a
dynamic IP. The gateway then uses NAT to allow them to communicate
with the Internet, of course.

So you're saying go back to using RSA keys instead of certs, correct?

I'm again having the same problem I had some months ago when trying to
create a host-to-host VPN using RSA keys. I've deleted *.db and
recreated it and it still doesn't work. This is what I've done.

Remote side (dynamic IP)
# ipsec initnss
Initializing NSS database
# ipsec newhostkey
Generated RSA key pair with CKAID
b32410d13088e5f871df9c07c976172ffbe97dfc was stored in the NSS
# ipsec showhostkey --right --ckaid b32410d13088e5f871df9c07c976172ffbe97dfc
        # rsakey AwEAAcj4B

Local side (VPN server)
# rm -f *.db
# ipsec initnss
Initializing NSS database
# ipsec newhostkey
Generated RSA key pair with CKAID
a8f822acb96d1c9be7fb52014169d42806df30d8 was stored in the NSS
# ipsec showhostkey --left --ckaid a8f822acb96d1c9be7fb52014169d42806df30d8
        # rsakey AwEAAed2I

I've used that to create the following wyckofftun.conf file which is
then copied to /etc/ipsec.d on both hosts

conn wyckofftun
        # rsakey AwEAAcj4B
        # rsakey AwEAAed2I

When I try to bring up the tunnel, it reports it's unable to locate its RSA key.

[root at orion ipsec.d]# ipsec auto --add wyckofftun
002 added connection description "wyckofftun"
[root at orion ipsec.d]# ipsec auto --up wyckofftun
002 "wyckofftun" #2: initiating v2 parent SA
133 "wyckofftun" #2: initiate
002 "wyckofftun" #2: constructed local IKE proposals for wyckofftun
(IKE SA initiator selecting KE):
133 "wyckofftun" #2: STATE_PARENT_I1: sent v2I1, expected v2R1
003 "wyckofftun" #2: Can't find the certificate or private key from
003 "wyckofftun" #2: Failed to find our RSA key

# ipsec showhostkey --list
< 1> RSA keyid: AwEAAed2I ckaid: a8f822acb96d1c9be7fb52014169d42806df30d8

The key is obviously there. This is on fedora29. Are we sure there
isn't a problem with fedora28 or libreswan-3.27-1.fc28.x86_64?

# ipsec barf

I really hope someone can help me figure out what's wrong.

More information about the Swan mailing list