<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hello LibreSwan community!<div>It was a long way to get my libreswan connecting to a vpn-server (which is actually a dsl-router from bintec). The server accepts IPsec IKEv1 connection with PSK. I can connect, but there is no traffic through the tunnel.</div><div>The problem must be on roadwarriors-side, because I can connect and transfer data through the tunnel if I connect with a windows machine to the vpn-server (using ShrewSoft).</div><div><br></div><div>I wrote this config:</div><div><br></div><div><div><div>config setup</div><div>protostack = netkey</div><div><br></div><div>conn Office1</div><div>authby = secret</div><div>right = some.domain.tld</div><div>rightid = @Office_admin</div><div>rightnexthop = %defaultroute</div><div>left = 192.168.42.91</div><div>leftsubnet = <a href="http://192.168.92.0/24">192.168.92.0/24</a></div><div>leftvti = <a href="http://192.168.92.234/24">192.168.92.234/24</a></div><div>leftid = @Office</div><div>keyexchange = ike</div><div>ike = aes256-sha2;modp2048</div><div>esp = aes256-sha2;modp2048</div><div>ikelifetime = 4h</div><div>keylife = 8h</div><div>auto = add</div><div>aggrmode = yes</div><div>vti-interface = vti0</div><div>vti-routing = yes</div><div>mark = 5/0xffffffff</div></div></div><div><br></div><div>the roadwarrior connects</div><div><br></div><div><div>003 "Office1": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's</div><div>002 "Office1" #1: initiating Aggressive Mode</div><div>112 "Office1" #1: STATE_AGGR_I1: initiate</div><div>010 "Office1" #1: STATE_AGGR_I1: retransmission; will wait 0.5 seconds for response</div><div>010 "Office1" #1: STATE_AGGR_I1: retransmission; will wait 1 seconds for response</div><div>003 "Office1" #1: ignoring unknown Vendor ID payload [0048e2270bea8395ed778d343cc2a076]</div><div>003 "Office1" #1: ignoring unknown Vendor ID payload [5cbeb399eb835a7d7a2eb495905db061]</div><div>003 "Office1" #1: ignoring unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]</div><div>002 "Office1" #1: Peer ID is ID_FQDN: '@Office'</div><div>002 "Office1" #1: WARNING: connection Office1 PSK length of 13 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)</div><div>002 "Office1" #1: Peer ID is ID_FQDN: '@Office'</div><div>004 "Office1" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}</div><div>002 "Office1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:f067a0d5 proposal=AES_CBC_256-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}</div><div>117 "Office1" #2: STATE_QUICK_I1: initiate</div><div>010 "Office1" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response</div><div>002 "Office1" #2: prepare-client output: net.ipv4.conf.vti0.disable_policy = 1</div><div>002 "Office1" #2: prepare-client output: net.ipv4.conf.vti0.rp_filter = 0</div><div>002 "Office1" #2: prepare-client output: net.ipv4.conf.vti0.forwarding = 1</div><div>002 "Office1" #2: route-client output: done ip route</div><div>004 "Office1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x7ab81f99 <0xa80c1c82 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=xx.yyy.zzz.vv:4500 DPD=passive}</div></div><div><br></div><div><div>sudo ipsec auto --up Office1</div><div>netstat -r -n</div><div>Kernel-IP-Routentabelle</div><div>Ziel Router Genmask Flags MSS Fenster irtt Iface</div><div>0.0.0.0 192.168.42.129 0.0.0.0 UG 0 0 0 enp0s12u2</div><div>xx.yyy.zzz.vv 0.0.0.0 255.255.255.255 UH 0 0 0 vti0</div><div>169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp0s12u2</div><div>192.168.42.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s12u2</div><div>192.168.92.0 0.0.0.0 255.255.255.0 U 0 0 0 vti0</div><div>ping 192.168.92.10</div><div>PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data.</div><div>From 192.168.92.234 icmp_seq=1 Destination Host Unreachable</div></div><div><br></div><div>On roadwarrior-side there is no iptables configured:</div><div><div>sudo iptables -L</div><div>Chain INPUT (policy ACCEPT)</div><div>target prot opt source destination </div><div>Chain FORWARD (policy ACCEPT)<br></div><div>target prot opt source destination </div><div>Chain OUTPUT (policy ACCEPT)<br></div><div>target prot opt source destination </div></div><div><br></div><div>I would be very happy, if someone can help me.<br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Thanx a lot<br></div>Johannes C. Schulz<br><br>
<p><span style="color:rgb(204,204,204)"><font size="1">„<b><i>Programmer
- n. [proh-gram-er] an organism that turns caffeine and pizza into software“</i></b></font></span><br></p></div></div></div></div></div></div></div></div></div>