<?xml version="1.0" encoding="utf-16"?><html><head>
<style id="css_styles"><![CDATA[
blockquote.cite { margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc }
blockquote.cite2 {margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc; margin-top: 3px; padding-top: 0px; }
a img { border: 0px; }
ol, ul { list-style-position: inside }
body { font-family: Tahoma; font-size: 12pt; }
]]></style>
</head>
<body>Hello,<div><br /></div><div>I've been attempting to get libreswan up and running on my home server. This was my first time setting up libreswan. I tired reading through a few different tutorials, but I could not get a client to connect.</div><div><br /></div><div>I started by creating my CA<br /> # ipsec initnss<br /> # certutil -S -x -n "MyHome" -s "O=VPN,CN=MyHome" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2</div><div><br /></div><div>I then exported out the public key for the CA<br /> # certutil -L -n "MyHome" -d sql:/etc/ipsec.d/ -a > MYCA.crt<br /><br />Next I setup my ipsec config:<br /># libreswan /etc/ipsec.conf configuration file<br />config setup<br /> protostack=netkey<br /> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24<br /> logfile=/var/log/pluto.log<br /><br />conn xauth-rsa<br /> authby=rsasig<br /> pfs=no<br /> auto=add<br /> rekey=no<br /> left=MyHome<br /> leftcert=MyHome<br /> leftid=%fromcert<br /> leftsendcert=always<br /> leftsubnet=0.0.0.0/0<br /> right=%any<br /> rightca=%same<br /> rightaddresspool=172.16.2.1-172.16.2.254<br /> modecfgdns1=192.168.9.23<br /> modecfgdns2=8.8.8.8<br /> leftxauthserver=yes<br /> rightxauthclient=yes<br /> leftmodecfgserver=yes<br /> rightmodecfgclient=yes<br /> modecfgpull=yes<br /> xauthby=pam<br /> ike-frag=yes</div><div><br /></div><div><br /></div><div>Now from here I went in and setup a new ShrewSoft Connection on my laptop (using the MYCA.crt for the Server Certificate Authority Field). I hot spotted to my cell phone so i wasn't testing on the same network as the server (which I've done to connect to the work Cisco ASA). Clicked Connect and after a few seconds I got a timeout warning. So I doubled checked my iptables and I do have the ports (I know I have not set the nating, but i have not gotten that far yet):</div><div>-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT</div><div>-A INPUT -p esp -j ACCEPT</div><div>-A INPUT -p ah -j ACCEPT</div><div>-A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT</div><div>-A INPUT -p tcp -m tcp --sport 4500 --dport 4500 -j ACCEPT</div><div>-A FORWARD -j REJECT --reject-with icmp-host-prohibited</div><div>-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT</div><div>-A OUTPUT -p esp -j ACCEPT</div><div>-A OUTPUT -p ah -j ACCEPT</div><div><br /></div><div>I then looked at the /var/log/pluto.log file and saw this <a href="https://pastebin.com/4cRJS1Df">https://pastebin.com/4cRJS1Df</a> (given the length of the log file i just put it in paste bin since I was unsure an attachment would go through). While looking through it i did notice "certificate not loaded for this end" but i'm not sure if that is the cause of the problems or some other item. As the xauth-rsa configuration has been loaded yet at that point (if I understand the flow of the log file).</div><div><br /></div><div><br /></div><div>I've started over deleting all the configs and Certs several times. I am really unsure where along this path I actually messed up at. So i'm wondering if anyone sees anything i did wrong or could point me to some further documentation I can review.</div><div><br /></div><div>Thank you</div><div><br /></div></body></html>