[Swan] example .conf for road warriors

Jeremy Hayward jem at briksdal.co.uk
Fri May 15 15:45:48 UTC 2020


Thanks for the advice.  We are really aware of the risks, but what is at
the other end is only valuable to us.  It wouldn't be of any value to
anyone else, so we don't expect anyone would waste time trying to get in.

However, it would seem that I've hit a dead end with this route into the
network.  I can set up VPN on the gateway router, rather than on the VPN
server, so I may try that route next.

Jem Hayward
www.briksdal.co.uk



On Fri, 15 May 2020 at 16:15, Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 15 May 2020, Jeremy Hayward wrote:
>
> > I want to set up a connection on my libreswan that will allow anyone to
> connect with just the username and password.  I
> > understand the security implications of this, but I want to be able to
> access a system from anywhere in the world, from any
> > device.  The main client will be Android phone, but again, I don't want
> to have to install specific software on that phone -
> > just use the built in android vpn facility.
> > I used to do this with PPTP for many years and it worked well, but I
> think that would now be too dangerous but the Android
> > phones now support relatively IPSec which I think will be good enough.
>
> That is still unwise. The problem is with user/password is that you have
> to use authby=secret, giving out this preshared key to everyone, meaning
> that everyone who has the client information (legitimately or
> maliciously obtained) would be able to forge messages from the gateway
> or other clients. It is also only supported in the old IKEv1 method,
> not the new IKEv2 method.
>
> > I've built a conf, but as a bit of a noob, I'm not sure if I've made a
> rookie error, or it just won't work in the way I'm
> > intending.
> >
> > Here is my .conf
> >
> > conn Warrior
> > dpdaction=clear
> > dpddelay=30
> > dpdtimeout=120
> > fragmentation=yes
> > ike=3des-md5;modp1024
>
> Doing 3des-md5 wasn't even good in 1999. It is surely not good now.
> Worse, modp1024 is DH2 which we don't even compile in support for
> anymore because university style computing budgets can break it, so
> surely nation states can too.
>
> > ikev2=insist
>
> android only just got ikev2 support (or will get in in the next
> version?) and so basically no android client in the wild supports
> native ikev2. Also see the above. For ikev2 you would want to at
> least use one certificate on the server (even if clients would
> use authby=secret to identity themselves. But these kind of
> ikev2' configurations can only be done using EAP, which libreswan
> currently does not support.
>
> You really seem to want this type of config:
>
>
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK
>
> I still recommend you change your requirements for a more secure
> deployment.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200515/4e2857b5/attachment.html>


More information about the Swan mailing list