[Swan] VPN IKEv2 client reporting syntax errors in libexec/ipsec/_updown.xfrm

Mirsad Todorovac mirsad.todorovac at alu.unizg.hr
Wed Nov 1 20:11:03 EET 2023 

Hi,

This diff seems to fix the syntax error issue:

diff --git a/programs/_updown.xfrm/_updown.xfrm.in b/programs/_updown.xfrm/_updown.xfrm.in
index 9aab61dc1fe7..edf3b8696cee 100644
--- a/programs/_updown.xfrm/_updown.xfrm.in
+++ b/programs/_updown.xfrm/_updown.xfrm.in
@@ -502,7 +502,7 @@ addsource() {
          return ${st}
      fi
      # XFRMi interface IPs are managed in Pluto
-    if [ "${PLUTO_XFRMI_ROUTE}" == "yes" ]; then
+    if [ "${PLUTO_XFRMI_ROUTE}" = "yes" ]; then
          return ${st}
      fi
  
@@ -542,7 +542,7 @@ delsource() {
          return ${st}
      fi
      # XFRMi interface IPs are managed in Pluto
-    if [ "${PLUTO_XFRMI_ROUTE}" == "yes" ]; then
+    if [ "${PLUTO_XFRMI_ROUTE}" = "yes" ]; then
          return ${st}
      fi
  

git blame gives commit 32c87516189f6 and 32c87516189f6 as the cause of the problem.

About the

up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create /etc/resolv.conf: Permission denied

I don't have a clue.

Now I get a different output:

$ sudo ipsec up grf
181 "grf"[1] 161.53.83.3 #1: initiating IKEv2 connection
181 "grf"[1] 161.53.83.3 #1: sent IKE_SA_INIT request to 161.53.83.3:500
182 "grf"[1] 161.53.83.3 #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "grf"[1] 161.53.83.3 #1: initiator established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate '@magrf-ipv4.grf.hr' issued by CA 'CN=GRF-UNIZG CA, O=GRF-UNIZG'
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_ADDRESS 192.168.100.10
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 10.0.0.101
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 1.0.0.1
002 "grf"[1] 161.53.83.3 #2: up-client output: updating resolvconf
002 "grf"[1] 161.53.83.3 #2: up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create /etc/resolv.conf: Permission denied
004 "grf"[1] 161.53.83.3 #2: initiator established Child SA using #1; IPsec tunnel [192.168.100.10-192.168.100.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESPinUDP/ESN=>0x4ef1e1f7 <0x36c8942c xfrm=AES_GCM_16_256-NONE NATD=161.53.83.3:4500 DPD=passive}
$

I am using the latest github version commit 0bb82894c7a0.

Best regards,
Mirsad Todorovac

On 11/1/23 18:42, Mirsad Todorovac wrote:
> Hi all,
> 
> I have figured out how to connect from my Jammy Ubuntu 22.04 box to VPN libreswan server on Debian 11.
> 
> But there are problems with connectivity. Though I can search on Google, some sites time out.
> 
> marvin at defiant:~/build/libreswan/libreswan$ sudo ipsec auto --up grf
> WARNING: ipsec auto has been deprecated
> 181 "grf"[1] 161.53.83.3 #1: initiating IKEv2 connection
> 181 "grf"[1] 161.53.83.3 #1: sent IKE_SA_INIT request to 161.53.83.3:500
> 182 "grf"[1] 161.53.83.3 #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
> 003 "grf"[1] 161.53.83.3 #1: initiator established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate '@magrf-ipv4.grf.hr' issued by CA 'CN=GRF-UNIZG CA, O=GRF-UNIZG'
> 002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_ADDRESS 192.168.100.10
> 002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 10.0.0.101
> 002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 1.0.0.1
> 002 "grf"[1] 161.53.83.3 #2: route-client output: /usr/local/libexec/ipsec/_updown.xfrm: 505: [: unexpected operator
> 002 "grf"[1] 161.53.83.3 #2: up-client output: updating resolvconf
> 002 "grf"[1] 161.53.83.3 #2: up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create /etc/resolv.conf: Permission denied
> 002 "grf"[1] 161.53.83.3 #2: up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 505: [: unexpected operator
> 004 "grf"[1] 161.53.83.3 #2: initiator established Child SA using #1; IPsec tunnel [192.168.100.10-192.168.100.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESPinUDP/ESN=>0xc3d799c1 <0x590a2b78 xfrm=AES_GCM_16_256-NONE NATD=161.53.83.3:4500 DPD=passive}
> 
> /etc/resolv.conf is the link:
> 
> $ ls -ld /etc/resolv.conf
> lrwxrwxrwx 1 root root 39 May  3 21:28 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
> $ sudo lsattr /run/systemd/resolve/stub-resolv.conf
> ---------------------- /run/systemd/resolve/stub-resolv.conf
> $
> 
> The VPN server side is:
> 
> /etc/ipsec.d/ikev2.conf:
> ------------------------
> conn MYCONN-ikev2-cp
>          # The server's actual IP goes here - not elastic IPs
>          left=161.53.83.3
>          leftcert="magrf-ipv4.grf.hr 2023"
>          leftid=@magrf-ipv4.grf.hr
>          leftsendcert=always
>          leftsubnet=0.0.0.0/0
>          leftrsasigkey=%cert
>          # Clients
>          right=%any
>          # your addresspool to use - you might need NAT rules if providing full internet to clients
>          rightaddresspool=192.168.100.10-192.168.100.253
>          # optional rightid with restrictions
>          # rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
>          rightca=%same
>          rightrsasigkey=%cert
>          #
>          # connection configuration
>          # DNS servers for clients to use
>          modecfgdns=10.0.0.101,1.0.0.1
>          # Versions up to 3.22 used modecfgdns1 and modecfgdns2
>          #modecfgdns1=8.8.8.8
>          #modecfgdns2=193.110.157.123
>          narrowing=yes
>          # recommended dpd/liveness to cleanup vanished clients
>          dpddelay=30
>          dpdtimeout=120
>          dpdaction=clear
>          auto=add
>          ikev2=insist
>          rekey=no
>          # Set ikelifetime and keylife to same defaults windows has
>          # ikelifetime=8h
>          # keylife=2h
>          ms-dh-downgrade=yes
>          mobike=yes
>          esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
>          # esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
>          # ikev2 fragmentation support requires libreswan 3.14 or newer
>          fragmentation=yes
>          # optional PAM username verification (eg to implement bandwidth quota
>          pam-authorize=yes
>          authby=rsa
>          hostaddrfamily=ipv4
>          clientaddrfamily=ipv4
> 
> The client side is:
> 
> conn grf
>          left=%defaultroute
>          leftcert="home-pc-mtodorov.grf.hr 2023"
>          leftid=%fromcert
>          leftrsasigkey=%cert
>          leftsubnet=0.0.0.0/0
>          leftmodecfgclient=yes
>          right=magrf-ipv4.grf.hr
>          rightsubnet=0.0.0.0/0
>          rightid=@magrf-ipv4.grf.hr
>          rightrsasigkey=%cert
>          narrowing=yes
>          ikev2=insist
>          rekey=yes
>          fragmentation=yes
>          mobike=no
>          auto=add
> 
> Many thanks for help.
> 
> Best regards,
> Mirsad Todorovac
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list