[Swan] Options for Windows clients

Paul Wouters paul at nohats.ca
Wed Dec 30 02:41:25 UTC 2020


On Dec 29, 2020, at 21:25, Alex <mysqlstudent at gmail.com> wrote:
> 
> 
> This is fedora32. It appears the NSS database is physically in
> /var/lib/ipsec/nss while the certificates I've been creating are
> stored in /etc/ipsec.d/*.db. What's the difference?

The /etc one is the old location. Libreswan on fedora is compiled with the new location. You can configure nssdir= in ipsec.conf to point to your old location if you want.

> Why does ipsec
> appear to use /var/lib/ipsec/nss while certutil uses /etc/ipsec.d?

Certutil has no default. It is what you specify as options to it.


> It's also not necessary to preface it with sql:

Yes, the default was changed in nss to be sql: finally.




> 
> I've gotten past that NO_PROPOSAL_CHOSEN error, or at least it's not
> producing it anymore.
> 
> Are the references to 'vpn.example.com' just labels, or is it a host
> that has to resolve to an IP?
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

For the right= on the client it needs to resolve in DNS or be an IP. The conn name is an arbitrary string.


> I think I screwed up the leftid setting in the config. It couldn't
> even find the config when I ran the following. Now it just reports it
> can't connect (presumably because it's a mobile worker with a dynamic
> IP).
> 
> # ipsec auto --up ikev2-cp
> 029 "ikev2-cp": cannot initiate connection without knowing peer IP
> address (kind=CK_TEMPLATE narrowing=yes)
> 036 "ikev2-cp": failed to initiate connection

Yes you cannot have initiate to %any

> Now Windows is saying "IKE failed to find valid machine certificate.
> .... install a valid certificate" but I've rebuilt the entire thing,
> deleted the old certs and inserted a new pk12 cert as I've done
> before. This strongswan post appears to indicate that "Maybe Windows
> wants to do ECDSA and searches for such a certificate". Could that be
> the case here?
> https://wiki.strongswan.org/issues/3021

Possible, I heard if you configure ECDH it won’t allow RSA based certs.
> 
> I've used the following two commands on the Windows side to build the
> connection:
> 
> Add-VpnConnection -Name "ikev2-cp" -ServerAddress orion.example.com
> -TunnelType "Ikev2" -PassThru -Force -EncryptionLevel "Required"
> -AllUserConnection -AuthenticationMethod MachineCertificate
> 
> Set-VpnConnectionipsecconfiguration -connectionname "ikev2-cp"
> -authenticationtransformconstants SHA256128 -ciphertransformconstants
> AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -Pfsgroup
> ECP384 -DHGroup Group14 -PassThru -Force

Can you set both pfs group and DH group to group14 ?

Using ECP384 might cause it to not accept RSA certificates


> Now trying to connect produces the following:
> 
> Dec 29 21:08:37.408754: | found policy =
> ECDSA+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO
> (ikev2-cp)
> Dec 29 21:08:37.409050: | found connection: "ikev2-cp"[1] 192.168.1.35
> with policy ECDSA+IKEV2_ALLOW
> Dec 29 21:12:44.610613: "ikev2-cp"[5] 192.168.1.35 #16: proposal
> 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from
> remote proposals
> 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048
> 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
> 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
> 
> Dec 29 21:12:44.613300: "ikev2-cp"[5] 192.168.1.35 #16: sent
> IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256
> integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
> 
> Then that's it.

Windows receives the answer and rejects the algorithms I guess. Or rejects the cert it now needs to use to create the next packet.


>   authby=ecdsa

Avoid ecdsa with Windows as they seem to only support the old method that libreswan doesn’t implement. Also if you use this, you cannot have RSA based certificates as those cannot produce ECDSA signatures.

Paul


More information about the Swan mailing list