[Swan] VPN IKEv2 client reporting syntax errors in libexec/ipsec/_updown.xfrm
Mirsad Todorovac
mirsad.todorovac at alu.unizg.hr
Wed Nov 1 20:11:03 EET 2023
Hi,
This diff seems to fix the syntax error issue:
diff --git a/programs/_updown.xfrm/_updown.xfrm.in b/programs/_updown.xfrm/_updown.xfrm.in
index 9aab61dc1fe7..edf3b8696cee 100644
--- a/programs/_updown.xfrm/_updown.xfrm.in
+++ b/programs/_updown.xfrm/_updown.xfrm.in
@@ -502,7 +502,7 @@ addsource() {
return ${st}
fi
# XFRMi interface IPs are managed in Pluto
- if [ "${PLUTO_XFRMI_ROUTE}" == "yes" ]; then
+ if [ "${PLUTO_XFRMI_ROUTE}" = "yes" ]; then
return ${st}
fi
@@ -542,7 +542,7 @@ delsource() {
return ${st}
fi
# XFRMi interface IPs are managed in Pluto
- if [ "${PLUTO_XFRMI_ROUTE}" == "yes" ]; then
+ if [ "${PLUTO_XFRMI_ROUTE}" = "yes" ]; then
return ${st}
fi
git blame gives commit 32c87516189f6 and 32c87516189f6 as the cause of the problem.
About the
up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create /etc/resolv.conf: Permission denied
I don't have a clue.
Now I get a different output:
$ sudo ipsec up grf
181 "grf"[1] 161.53.83.3 #1: initiating IKEv2 connection
181 "grf"[1] 161.53.83.3 #1: sent IKE_SA_INIT request to 161.53.83.3:500
182 "grf"[1] 161.53.83.3 #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "grf"[1] 161.53.83.3 #1: initiator established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate '@magrf-ipv4.grf.hr' issued by CA 'CN=GRF-UNIZG CA, O=GRF-UNIZG'
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_ADDRESS 192.168.100.10
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 10.0.0.101
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 1.0.0.1
002 "grf"[1] 161.53.83.3 #2: up-client output: updating resolvconf
002 "grf"[1] 161.53.83.3 #2: up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create /etc/resolv.conf: Permission denied
004 "grf"[1] 161.53.83.3 #2: initiator established Child SA using #1; IPsec tunnel [192.168.100.10-192.168.100.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESPinUDP/ESN=>0x4ef1e1f7 <0x36c8942c xfrm=AES_GCM_16_256-NONE NATD=161.53.83.3:4500 DPD=passive}
$
I am using the latest github version commit 0bb82894c7a0.
Best regards,
Mirsad Todorovac
On 11/1/23 18:42, Mirsad Todorovac wrote:
> Hi all,
>
> I have figured out how to connect from my Jammy Ubuntu 22.04 box to VPN libreswan server on Debian 11.
>
> But there are problems with connectivity. Though I can search on Google, some sites time out.
>
> marvin at defiant:~/build/libreswan/libreswan$ sudo ipsec auto --up grf
> WARNING: ipsec auto has been deprecated
> 181 "grf"[1] 161.53.83.3 #1: initiating IKEv2 connection
> 181 "grf"[1] 161.53.83.3 #1: sent IKE_SA_INIT request to 161.53.83.3:500
> 182 "grf"[1] 161.53.83.3 #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
> 003 "grf"[1] 161.53.83.3 #1: initiator established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate '@magrf-ipv4.grf.hr' issued by CA 'CN=GRF-UNIZG CA, O=GRF-UNIZG'
> 002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_ADDRESS 192.168.100.10
> 002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 10.0.0.101
> 002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 1.0.0.1
> 002 "grf"[1] 161.53.83.3 #2: route-client output: /usr/local/libexec/ipsec/_updown.xfrm: 505: [: unexpected operator
> 002 "grf"[1] 161.53.83.3 #2: up-client output: updating resolvconf
> 002 "grf"[1] 161.53.83.3 #2: up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create /etc/resolv.conf: Permission denied
> 002 "grf"[1] 161.53.83.3 #2: up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 505: [: unexpected operator
> 004 "grf"[1] 161.53.83.3 #2: initiator established Child SA using #1; IPsec tunnel [192.168.100.10-192.168.100.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESPinUDP/ESN=>0xc3d799c1 <0x590a2b78 xfrm=AES_GCM_16_256-NONE NATD=161.53.83.3:4500 DPD=passive}
>
> /etc/resolv.conf is the link:
>
> $ ls -ld /etc/resolv.conf
> lrwxrwxrwx 1 root root 39 May 3 21:28 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
> $ sudo lsattr /run/systemd/resolve/stub-resolv.conf
> ---------------------- /run/systemd/resolve/stub-resolv.conf
> $
>
> The VPN server side is:
>
> /etc/ipsec.d/ikev2.conf:
> ------------------------
> conn MYCONN-ikev2-cp
> # The server's actual IP goes here - not elastic IPs
> left=161.53.83.3
> leftcert="magrf-ipv4.grf.hr 2023"
> leftid=@magrf-ipv4.grf.hr
> leftsendcert=always
> leftsubnet=0.0.0.0/0
> leftrsasigkey=%cert
> # Clients
> right=%any
> # your addresspool to use - you might need NAT rules if providing full internet to clients
> rightaddresspool=192.168.100.10-192.168.100.253
> # optional rightid with restrictions
> # rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
> rightca=%same
> rightrsasigkey=%cert
> #
> # connection configuration
> # DNS servers for clients to use
> modecfgdns=10.0.0.101,1.0.0.1
> # Versions up to 3.22 used modecfgdns1 and modecfgdns2
> #modecfgdns1=8.8.8.8
> #modecfgdns2=193.110.157.123
> narrowing=yes
> # recommended dpd/liveness to cleanup vanished clients
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> auto=add
> ikev2=insist
> rekey=no
> # Set ikelifetime and keylife to same defaults windows has
> # ikelifetime=8h
> # keylife=2h
> ms-dh-downgrade=yes
> mobike=yes
> esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
> # esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
> # ikev2 fragmentation support requires libreswan 3.14 or newer
> fragmentation=yes
> # optional PAM username verification (eg to implement bandwidth quota
> pam-authorize=yes
> authby=rsa
> hostaddrfamily=ipv4
> clientaddrfamily=ipv4
>
> The client side is:
>
> conn grf
> left=%defaultroute
> leftcert="home-pc-mtodorov.grf.hr 2023"
> leftid=%fromcert
> leftrsasigkey=%cert
> leftsubnet=0.0.0.0/0
> leftmodecfgclient=yes
> right=magrf-ipv4.grf.hr
> rightsubnet=0.0.0.0/0
> rightid=@magrf-ipv4.grf.hr
> rightrsasigkey=%cert
> narrowing=yes
> ikev2=insist
> rekey=yes
> fragmentation=yes
> mobike=no
> auto=add
>
> Many thanks for help.
>
> Best regards,
> Mirsad Todorovac
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list