[Swan] VPN IKEv2 client reporting syntax errors in libexec/ipsec/_updown.xfrm
Mirsad Todorovac
mirsad.todorovac at alu.unizg.hr
Wed Nov 1 19:42:50 EET 2023
Hi all,
I have figured out how to connect from my Jammy Ubuntu 22.04 box to VPN libreswan server on Debian 11.
But there are problems with connectivity. Though I can search on Google, some sites time out.
marvin at defiant:~/build/libreswan/libreswan$ sudo ipsec auto --up grf
WARNING: ipsec auto has been deprecated
181 "grf"[1] 161.53.83.3 #1: initiating IKEv2 connection
181 "grf"[1] 161.53.83.3 #1: sent IKE_SA_INIT request to 161.53.83.3:500
182 "grf"[1] 161.53.83.3 #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "grf"[1] 161.53.83.3 #1: initiator established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate '@magrf-ipv4.grf.hr' issued by CA 'CN=GRF-UNIZG CA, O=GRF-UNIZG'
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_ADDRESS 192.168.100.10
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 10.0.0.101
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 1.0.0.1
002 "grf"[1] 161.53.83.3 #2: route-client output: /usr/local/libexec/ipsec/_updown.xfrm: 505: [: unexpected operator
002 "grf"[1] 161.53.83.3 #2: up-client output: updating resolvconf
002 "grf"[1] 161.53.83.3 #2: up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create /etc/resolv.conf: Permission denied
002 "grf"[1] 161.53.83.3 #2: up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 505: [: unexpected operator
004 "grf"[1] 161.53.83.3 #2: initiator established Child SA using #1; IPsec tunnel [192.168.100.10-192.168.100.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESPinUDP/ESN=>0xc3d799c1 <0x590a2b78 xfrm=AES_GCM_16_256-NONE NATD=161.53.83.3:4500 DPD=passive}
/etc/resolv.conf is the link:
$ ls -ld /etc/resolv.conf
lrwxrwxrwx 1 root root 39 May 3 21:28 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
$ sudo lsattr /run/systemd/resolve/stub-resolv.conf
---------------------- /run/systemd/resolve/stub-resolv.conf
$
The VPN server side is:
/etc/ipsec.d/ikev2.conf:
------------------------
conn MYCONN-ikev2-cp
# The server's actual IP goes here - not elastic IPs
left=161.53.83.3
leftcert="magrf-ipv4.grf.hr 2023"
leftid=@magrf-ipv4.grf.hr
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if providing full internet to clients
rightaddresspool=192.168.100.10-192.168.100.253
# optional rightid with restrictions
# rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns=10.0.0.101,1.0.0.1
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=8.8.8.8
#modecfgdns2=193.110.157.123
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
# Set ikelifetime and keylife to same defaults windows has
# ikelifetime=8h
# keylife=2h
ms-dh-downgrade=yes
mobike=yes
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
# esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
# optional PAM username verification (eg to implement bandwidth quota
pam-authorize=yes
authby=rsa
hostaddrfamily=ipv4
clientaddrfamily=ipv4
The client side is:
conn grf
left=%defaultroute
leftcert="home-pc-mtodorov.grf.hr 2023"
leftid=%fromcert
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
right=magrf-ipv4.grf.hr
rightsubnet=0.0.0.0/0
rightid=@magrf-ipv4.grf.hr
rightrsasigkey=%cert
narrowing=yes
ikev2=insist
rekey=yes
fragmentation=yes
mobike=no
auto=add
Many thanks for help.
Best regards,
Mirsad Todorovac
More information about the Swan
mailing list