[Swan] Fwd: Question with IKEv2 VPN server for road warrior setup with pubkey
Mirsad Goran Todorovac
mirsad.todorovac at alu.unizg.hr
Tue Jan 4 10:56:30 EET 2022
My apologies, as I forgot to include my /etc/ipsec.d/ikev2.conf
conn MYCONN-ikev2-cp
# The server's actual IP goes here - not elastic IPs
left=161.53.235.3
leftcert=vpn.alu.hr
leftid=@vpn.alu.hr
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if
providing full internet to clients
rightaddresspool=192.168.100.10-192.168.100.253
# optional rightid with restrictions
rightid="C=HR,L=Zagreb,O=Akademija likovnih
umjetnosti,OU=*,CN=*,E=*"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns=8.8.8.8,192.168.100.1
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=8.8.8.8
#modecfgdns2=193.110.157.123
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
# optional PAM username verification (eg to implement bandwidth
quota
# pam-authorize=yes
and the session log: https://domac.alu.hr/mtodorov/ikev2-20220104-01.log
Kind regards,
Mirsad Todorovac
-------- Forwarded Message --------
Hi all,
I have been asking about IKEv1 that did not work, but it was the ISP
firewall issue. Then I promised that I will test IKEv2 as a better
option once IKEv1 is working.
However, I ran into basic problems with certs.
I have a couple of questions:
1. I have added:
pfs=yes
type=tunnel
to my IKEv1 configuration, as Paul asserted there are issues with the
transport mode connection. Is that legal? I can't see much from
Googling, as the libreswan doc site example also uses transport mode.
2. Regarding my IKEv2 connection attempt, it seems that NSS is unable to
find the CA cert, but it appears to be in the key store:
root at domac:~# certutil -L -d sql:/var/lib/ipsec/nss
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
vpn.alu.hr u,u,u
ALU-UNIZG CA ,,
root at domac:~#
The SA proposal seems to be accepted, but NSS can't find the cert that
is in the store:
Jan 4 08:51:28.723966: | accepted IKE proposal ikev2_proposal:
2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048
Jan 4 08:51:28.737919: | NSS: locating CA cert 'CN=ALU-UNIZG CA,
O=Akademija likovnih umjetnosti, L=Zagreb, C=HR' for CERTREQ using
CERT_FindCertByName() failed: SEC_ERROR 35 (0x23): Certificate extension
not found.
Jan 4 08:51:28.788515: | NSS: locating CA cert 'CN=ALU-UNIZG CA,
O=Akademija likovnih umjetnosti, L=Zagreb, C=HR' for CERTREQ using
CERT_FindCertByName() failed: error code not saved by NSS
It seems obvious that the "ALU-UNIZG CA" is in NSS store, so I wonder
what am I doing wrong?
I have generated the cert pair according to the instructions here:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
Any idea might be welcome, as I've even read the IKEv2 RFC but I seem to
be stuck in this NSS issue ...
Kind regards,
Mirsad
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the Swan
mailing list