[Swan] Options for Windows clients
Alex
mysqlstudent at gmail.com
Wed Dec 30 02:25:27 UTC 2020
Hi,
> >> How can I tell what type of cert I'm using?
> >
> > openssl x509 -noout -text -in /your/cert.pem
>
> If you used certutil to generate the certificate directly inside the NSS
> database, you may have to export first, or use something like:
>
> certutil -L -d sql:/etc/ipsec.d -n your_cert_nickname
This is fedora32. It appears the NSS database is physically in
/var/lib/ipsec/nss while the certificates I've been creating are
stored in /etc/ipsec.d/*.db. What's the difference? Why does ipsec
appear to use /var/lib/ipsec/nss while certutil uses /etc/ipsec.d?
It's also not necessary to preface it with sql:.
> >> This is with "plutodebug = all crypt". In addition to the
> >> NO_PROPOSAL_CHOSEN messages, the highlights appear to include:
>
> I've given a quick look, and I don't have much more to add to Paul's
> comment below (maybe "all crypt" is too much).
I've gotten past that NO_PROPOSAL_CHOSEN error, or at least it's not
producing it anymore.
Are the references to 'vpn.example.com' just labels, or is it a host
that has to resolve to an IP?
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
I think I screwed up the leftid setting in the config. It couldn't
even find the config when I ran the following. Now it just reports it
can't connect (presumably because it's a mobile worker with a dynamic
IP).
# ipsec auto --up ikev2-cp
029 "ikev2-cp": cannot initiate connection without knowing peer IP
address (kind=CK_TEMPLATE narrowing=yes)
036 "ikev2-cp": failed to initiate connection
Now Windows is saying "IKE failed to find valid machine certificate.
.... install a valid certificate" but I've rebuilt the entire thing,
deleted the old certs and inserted a new pk12 cert as I've done
before. This strongswan post appears to indicate that "Maybe Windows
wants to do ECDSA and searches for such a certificate". Could that be
the case here?
https://wiki.strongswan.org/issues/3021
I've used the following two commands on the Windows side to build the
connection:
Add-VpnConnection -Name "ikev2-cp" -ServerAddress orion.example.com
-TunnelType "Ikev2" -PassThru -Force -EncryptionLevel "Required"
-AllUserConnection -AuthenticationMethod MachineCertificate
Set-VpnConnectionipsecconfiguration -connectionname "ikev2-cp"
-authenticationtransformconstants SHA256128 -ciphertransformconstants
AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -Pfsgroup
ECP384 -DHGroup Group14 -PassThru -Force
Now trying to connect produces the following:
Dec 29 21:08:37.408754: | found policy =
ECDSA+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO
(ikev2-cp)
Dec 29 21:08:37.409050: | found connection: "ikev2-cp"[1] 192.168.1.35
with policy ECDSA+IKEV2_ALLOW
Dec 29 21:12:44.610613: "ikev2-cp"[5] 192.168.1.35 #16: proposal
2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from
remote proposals
1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048
2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Dec 29 21:12:44.613300: "ikev2-cp"[5] 192.168.1.35 #16: sent
IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256
integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Then that's it.
> > - uses right=192.168.1.35 or right=%any
> > - uses authby=ecdsa or authby=rsa or authby=secret (or a combination
> > thereof, or it is not set in which case the defaults would include rsa
> > and/or rsa+ecdsa depending on the version of libreswan)
> > - an ike= line that matches the remote client proposal list (or the
> > client uses something that is not a default ike parameter when no ike=
> > line is specified)
I've tried combinations of all of those. Here's what I have now. Left
is my libreswan server and right is my Win10 laptop.
conn ikev2-cp
left=68.195.111.42
leftcert=orion.example.com
leftid=@orion.example.com
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
right=%any
rightaddresspool=192.168.6.2-192.168.6.254
rightca=%same
rightrsasigkey=%cert
modecfgdns=8.8.8.8,193.100.157.123
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
authby=ecdsa
fragmentation=yes
More information about the Swan
mailing list