Re: [Swan] VTI with IPv6 supposed to be working ?

[Paul Wouters]

On Thu, 20 Sep 2018, Toerless Eckert wrote:


Is VTI with IPv6 supposed to be working ?


Apparently kernel VTI is known to not work with IPv6 at all. The
replacement kernel code (XFRMi interfaces) will address that.

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] roadwarrior connects but no data

[Paul Wouters]

On Fri, 5 Oct 2018, Johannes C. Schulz wrote:


$ ip route                        
default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100 
xx.yyy.zzz.vv dev vti0 scope link 


I don't see a src entry here. If the source ip is not the default IP,
then you're in trouble because it would use the wrong source ip to
route into the VTI device, and then not match the IPsec policy.

You can see problems like this by checking the errors counters in
/proc/net/xfrm_stat

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan-dev] simple setup

[Paul Wouters]

On Fri, 5 Oct 2018, Kim B. Heino wrote:


All those "~" must be changed to "$HOME". I don't have the power to do
that. Somebody please fix?


Someone did.

I agree the certificate generation stuff is not user friendly, which is
why we did the webgui thing. I'm still waiting on the packages so I can
test it out on centos/rhel/fedora :)

Paul
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] simple setup

[Kim B. Heino]

> To be at feature-parity with WireGuard, we don't need to interoperate.
> Simple(!!!) libreswan to libreswan is what is required.

I agree totally here.

I tried to copy-paste commands from that "VPN server for remote clients
using IKEv2" page, it doesn't work:

-

# certutil -N -d sql:~/tmpdb/
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad 
database.

# mkdir tmpdb
# certutil -N -d sql:~/tmpdb/
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad 
database.

# certutil -N -d sql:$HOME/tmpdb/
Enter a password which will be used to encrypt your keys.

-

All those "~" must be changed to "$HOME". I don't have the power to do
that. Somebody please fix?
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] simple setup

[Paul Wouters]

On Fri, 5 Oct 2018, D. Hugh Redelmeier wrote:


To be at feature-parity with WireGuard, we don't need to interoperate.
Simple(!!!) libreswan to libreswan is what is required.


The Wireguard is feature is not having features. They will grow their
warts later on in life.


Did I say "simple" often enough?


We could surely create an interactive cmdline tool that generates
an /etc/ipsec.d/example.conf file for them. We did create a webgui
tool for a Remote Access VPN which we are polishing up now for
release.

I agree with Kim that our website is more sysadmin focused then
enduser focused and we can improve there. That's a topic for next
week's devel meeting :)

Paul
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] simple setup

[D. Hugh Redelmeier]

| From: Paul Wouters 

| Sure. We need support for .mobileconfig support so people can just
| import that on Linux as well as Apple devices. I don't know how to
| create a "profile" for Windows. I would be nice if we could do that
| too.

Fine.  But that isn't what I asked for.

To be at feature-parity with WireGuard, we don't need to interoperate.
Simple(!!!) libreswan to libreswan is what is required.

Any bonus features should be separate and later so that they don't
interfere with the simplicity.

Did I say "simple" often enough?

It's got to be simple.  Its got to look simple to someone who knows
nothing about this stuff.  It's almost an advertisement, but one that
actually is useful and informative.

It's got to be as simple as WireGuard.  Simpler that WireGuard would
be a big bonus.

Sadly, I think that there need to be "field notes" to trouble-shoot
first-time bring-up.  That's way more important that talking about
added features.  Lots of people have trouble getting this
stuff working in the most basic way and end up giving up, scarred for
life.

If our diagnostics make debugging such a simple setup hard, we ought
to look closely at making this easier.  Perhaps we need a bring-up
mode that is more helpful.  Perhaps we need a tool that automates some
of the debugging.
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] simple setup

[Paul Wouters]

On Fri, 5 Oct 2018, Kim B. Heino wrote:


https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2


Problems with that page, when comparing to wireguard/openvpn setup
guides:

- too long
- looks way too complex
- looks scary ("change registry key or it's insecure!!!")
- hard to find: first time users don't know what IKEv1 vs v2 vs split vs
 XAUTH means


Sure. We need support for .mobileconfig support so people can just
import that on Linux as well as Apple devices. I don't know how to
create a "profile" for Windows. I would be nice if we could do that
too.

Paul
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] simple setup

[Kim B. Heino]

> > I keep seeing people, in various venues, saying that wireshark is
> > wonderful.  

Same is also true for openvpn vs libreswan.

> > Paul (or anyone else): can you create simple instructions for
> > setting up a VPN that has feature-parity with Wireshark?  
> 
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

Problems with that page, when comparing to wireguard/openvpn setup
guides:

- too long
- looks way too complex
- looks scary ("change registry key or it's insecure!!!")
- hard to find: first time users don't know what IKEv1 vs v2 vs split vs
  XAUTH means
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan] roadwarrior connects but no data

[Johannes C. Schulz]

Hi Paul

Thanks for your answer. But sadly, this did not help.

$ ip route
default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100
xx.yyy.zzz.vv dev vti0 scope link
169.254.0.0/16 dev enp0s12u2 scope link metric 1000
192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91
metric 100

$ route
Kernel-IP-Routentabelle
ZielRouter  Genmask Flags Metric RefUse
Iface
default _gateway0.0.0.0 UG10000
enp0s12u2
.dip0. 0.0.0.0 255.255.255.255 UH0  00 vti0
link-local  0.0.0.0 255.255.0.0 U 1000   00
enp0s12u2
192.168.42.00.0.0.0 255.255.255.0   U 10000
enp0s12u2


192.168.42.x is the clients network
xx.yyy.zzz.vv is internet-ip of remote network behind some domain
192.168.92.x is the remote network I want to access

Whats wrong with my config?

Best regards
Johannes




Am Do., 4. Okt. 2018 um 16:50 Uhr schrieb Paul Wouters :

> On Thu, 4 Oct 2018, Johannes C. Schulz wrote:
>
> > Hello LibreSwan community!It was a long way to get my libreswan
> connecting to a vpn-server (which is actually a dsl-router from bintec).
> The server accepts IPsec IKEv1
> > connection with PSK. I can connect, but there is no traffic through the
> tunnel.
> > The problem must be on roadwarriors-side, because I can connect and
> transfer data through the tunnel if I connect with a windows machine to the
> vpn-server (using
> > ShrewSoft).
> >
> > I wrote this config:
> >
> > config setup
> > protostack  =   netkey
> >
> > conn Office1
> > authby  =   secret
> > right   =   some.domain.tld
> > rightid =   @Office_admin
> > rightnexthop=   %defaultroute
> > left=   192.168.42.91
> > leftsubnet  =   192.168.92.0/24
> > leftvti =   192.168.92.234/24
> > leftid  =   @Office
> > keyexchange =   ike
> > ike =   aes256-sha2;modp2048
> > esp =   aes256-sha2;modp2048
> > ikelifetime =   4h
> > keylife =   8h
> > auto=   add
> > aggrmode=   yes
> > vti-interface = vti0
> > vti-routing =   yes
> > mark=   5/0x
>
> Try adding sha2_truncbug=yes and see if that fixes your issue. The
> router might be doing "broken linux compatibility" mode by default.
>
> > netstat -r -n
> > Kernel-IP-Routentabelle
> > ZielRouter  Genmask Flags   MSS Fenster irtt
> Iface
> > 0.0.0.0 192.168.42.129  0.0.0.0 UG0 0  0
> enp0s12u2
> > xx.yyy.zzz.vv   0.0.0.0 255.255.255.255 UH0 0  0
> vti0
> > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0  0
> enp0s12u2
> > 192.168.42.00.0.0.0 255.255.255.0   U 0 0  0
> enp0s12u2
> > 192.168.92.00.0.0.0 255.255.255.0   U 0 0  0
> vti0
>
> What does "ip route" say. It is important to see if you got the proper
> route into the VTI interface. I assume xx.yyy.zzz.vv is some.domain.tld's
> IP ?
>
> > ping 192.168.92.10
> > PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data.
> > From 192.168.92.234 icmp_seq=1 Destination Host Unreachable
>
> Is this in the remote end? because you defined that to be on your end?
>
> Paul
>


-- 
Viele Grüße
Johannes C. Schulz

„*Programmer - n. [proh-gram-er] an organism that turns caffeine and pizza
into software“*
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan