[Swan] Migrating OpenSWAN from Fedora 13 to CentOS 7.5 using LIBRESWAN

guilsson at gmail.com guilsson at gmail.com
Tue Apr 2 04:38:35 UTC 2019 

Hello everyone,

I'm currently running OpenSwan 2.6.29 since 2010 to connect to a bank.
It has been running for 9 years in a row.
First 3 years in a Debian box and 6 years in Fedora 13. Just COPIED/PASTED
from Debian to Fedora and worked.

But I need some others features in the operating system that Fedora 13
doesn't have. I've decided to replace it with CentOS 7.5.
I discovered that CentOS doesn't have OpenSwan. Just LIBRESWAN and
STRONGSWAN.

The main issue is I don't have KNOWLEDGE about IPSEC. This machine has been
running IPSec using a configuration file (ipsec.conf/ipsec.secrets)
SUPPLIED by the bank. So, if I got some errors about auth, netkey, pfs,
ike, quick mode, main mode, phase 1/2. etc I won't be able to fix it.

Having only LIBRESWAN and STRONGSWAN at CentOS 7.5, I tried first
LIBRESWAN, specting not having compatibility problems migrating from
OpenSwan to LIBRESWAN.

But it not what I got.

Let's start with a baseline...

IPSEC.CONF:
========================================================================================
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
#config setup
#       # Debug-logging controls:  "none" for (almost) none, "all" for lots.
#       # klipsdebug=none
#       # plutodebug="control parsing"
#       # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
#       protostack=netkey
#       nat_traversal=yes
#       virtual_private=
#       oe=off
#       # Enable this if you see "failed to find any available worker"
#       nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
#include /etc/ipsec.d/*.conf

conn block
        auto=ignore
conn private
        auto=ignore
conn private-or-clear
        auto=ignore
conn clear-or-private
        auto=ignore
conn clear
        auto=ignore
conn packetdefault
        auto=ignore

config setup
        #klipsdebug=all
        #plutodebug="control parsing"
        nat_traversal=yes
        protostack=netkey
        virtual_private=
        oe=off
        nhelpers=0
        #forceencaps=yes
        interfaces=%defaultroute
        force_keepalive=yes
        keep_alive=2

conn vpnbank
        type=tunnel
        left=192.168.1.16
        leftsubnet=192.168.1.0/26
        leftnexthop=192.168.1.100
        right=222.222.222.222
        rightsubnet=111.111.111.111/32
        rightnexthop=192.168.1.100
        keyexchange=ike
        auto=start
        authby=secret
        pfs=no
        compress=no
        auth=esp
        keylife=1440m
        ikelifetime=3600s
========================================================================================


VPN-FEDORA:
===========
# rpm -q openswan
openswan-2.6.29-1.fc13.i686
# uname -srvmpio
Linux 2.6.34.6-54.fc13.i686.PAE #1 SMP Sun Sep 5 17:33:43 UTC 2010 i686
i686 i386 GNU/Linux


SNIFFING AT FIREWALL:
---------------------

# tshark -i eth1 esp or port 500
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
  0.000000 192.168.1.16 500 222.222.222.222 500 ISAKMP Identity Protection
(Main Mode)
  0.013193 222.222.222.222 500 192.168.1.16 500 ISAKMP Identity Protection
(Main Mode)
  0.016325 192.168.1.16 500 222.222.222.222 500 ISAKMP Identity Protection
(Main Mode)
  0.028517 222.222.222.222 500 192.168.1.16 500 ISAKMP Identity Protection
(Main Mode)
[...]
  0.046726 192.168.1.16 500 222.222.222.222 500 ISAKMP Quick Mode
  0.060917 222.222.222.222 500 192.168.1.16 500 ISAKMP Quick Mode
[...]
  0.713432 192.168.1.16  222.222.222.222  ESP ESP (SPI=0xcf106f5c)
  0.722431 222.222.222.222  192.168.1.16  ESP ESP (SPI=0x48a17e8a)
[...]

# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...

# service ipsec start
/usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
ipsec_setup: Starting Openswan IPsec U2.6.29/K2.6.34.6-54.fc13.i686.PAE...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled

/VAR/LOG/MESSAGES:
------------------
Mar 25 19:16:18 Vm-ipsec-box kernel: NET: Registered protocol family 15
Mar 25 19:16:18 Vm-ipsec-box ipsec_setup: Starting Openswan IPsec
U2.6.29/K2.6.34.6-54.fc13.i686.PAE...
Mar 25 19:16:18 Vm-ipsec-box ipsec_setup: Using NETKEY(XFRM) stack
Mar 25 19:16:18 Vm-ipsec-box kernel: padlock: VIA PadLock not detected.
Mar 25 19:16:18 Vm-ipsec-box kernel: padlock: VIA PadLock Hash Engine not
detected.
Mar 25 19:16:18 Vm-ipsec-box kernel: padlock: VIA PadLock not detected.
Mar 25 19:16:18 Vm-ipsec-box ipsec_setup: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Mar 25 19:16:18 Vm-ipsec-box ipsec_setup: ...Openswan IPsec started
Mar 25 19:16:18 Vm-ipsec-box ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Mar 25 19:16:18 Vm-ipsec-box ipsec__plutorun: adjusting ipsec.d to
/etc/ipsec.d
Mar 25 19:16:18 Vm-ipsec-box pluto: adjusting ipsec.d to /etc/ipsec.d
Mar 25 19:16:18 Vm-ipsec-box ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Mar 25 19:16:18 Vm-ipsec-box ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Mar 25 19:16:18 Vm-ipsec-box ipsec__plutorun: 002 added connection
description "vpnbank"
Mar 25 19:16:18 Vm-ipsec-box ipsec__plutorun: 003 NAT-Traversal: Trying new
style NAT-T
Mar 25 19:16:18 Vm-ipsec-box ipsec__plutorun: 003 NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Mar 25 19:16:18 Vm-ipsec-box ipsec__plutorun: 003 NAT-Traversal: Trying old
style NAT-T
Mar 25 19:16:18 Vm-ipsec-box ipsec__plutorun: 104 "vpnbank" #1:
STATE_MAIN_I1: initiate


PARTIAL PS -AXF:
----------------
31571 pts/1    S      0:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug
 --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no
--nat_traversal yes --keep_alive 2 --protostack netkey --force_keepalive
yes --disable_port_floating no --virtual_private oe=o
31575 pts/1    S      0:00  \_ /bin/sh /usr/libexec/ipsec/_plutorun --debug
 --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no
--nat_traversal yes --keep_alive 2 --protostack netkey --force_keepalive
yes --disable_port_floating no --virtual_private
31578 pts/1    S      0:00  |   \_ /usr/libexec/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey
--uniqueids --nat_traversal --keep_alive 2 --force_keepalive
--virtual_private oe=off --nhelpers 0
31605 pts/1    S      0:00  |       \_ _pluto_adns
31576 pts/1    S      0:00  \_ /bin/sh /usr/libexec/ipsec/_plutoload --wait
no --post
31572 pts/1    S      0:00 logger -s -p daemon.error -t ipsec__plutorun


LIBRESWAN at CENTOS 7.5:
========================

Copied IPSEC.CONF and IPSEC.SECRETS into /ETC/IPSEC.D/.

# rpm -q libreswan
libreswan-3.25-4.1.el7_6.x86_64

# uname -srvmpio
Linux 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux

# service ipsec start
Job for ipsec.service failed because the control process exited with error
code. See "systemctl status ipsec.service" and "journalctl -xe" for details.

/VAR/LOG/MESSAGES:
------------------
Apr  2 00:04:18 vm-ipsec-new systemd: Starting Internet Key Exchange (IKE)
Protocol Daemon for IPsec...
Apr  2 00:04:18 vm-ipsec-new addconn: ERROR: /etc/ipsec.d/ipsec.conf: 66:
keyword auth, invalid value: esp
Apr  2 00:04:18 vm-ipsec-new systemd: ipsec.service: control process
exited, code=exited status=1
Apr  2 00:04:18 vm-ipsec-new systemd: Failed to start Internet Key Exchange
(IKE) Protocol Daemon for IPsec.
Apr  2 00:04:18 vm-ipsec-new systemd: Unit ipsec.service entered failed
state.
Apr  2 00:04:18 vm-ipsec-new systemd: ipsec.service failed.
Apr  2 00:04:18 vm-ipsec-new systemd: ipsec.service holdoff time over,
scheduling restart.
[...repeated 5 times...]

I tried to comment #auth=esp ...

# service ipsec start
Job for ipsec.service failed because the control process exited with error
code. See "systemctl status ipsec.service" and "journalctl -xe" for details.

/VAR/LOG/MESSAGES:
------------------
Apr  2 00:10:00 vm-ipsec-new systemd: Starting Internet Key Exchange (IKE)
Protocol Daemon for IPsec...
Apr  2 00:10:00 vm-ipsec-new addconn: cannot load config '/etc/ipsec.conf':
/etc/ipsec.d/ipsec.conf:8: syntax error, unexpected VERSION, expecting $end
[version]
Apr  2 00:10:00 vm-ipsec-new systemd: ipsec.service: control process
exited, code=exited status=3
Apr  2 00:10:00 vm-ipsec-new systemd: Failed to start Internet Key Exchange
(IKE) Protocol Daemon for IPsec.
Apr  2 00:10:00 vm-ipsec-new systemd: Unit ipsec.service entered failed
state.
Apr  2 00:10:00 vm-ipsec-new systemd: ipsec.service failed.
Apr  2 00:10:00 vm-ipsec-new systemd: ipsec.service holdoff time over,
scheduling restart.

>From here I don't know to proceed...
Could anyone point me some directions how to fix/adapt my configuration (or
LibreSwan cfg) to make compatible with LIBRESWAN at CentOS 7.5 ?

Thanks in advance
--Guilsson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190402/820bf507/attachment.html>

More information about the Swan mailing list