Re: [Swan] VTI with IPv6 supposed to be working ?
On Thu, 20 Sep 2018, Toerless Eckert wrote: Is VTI with IPv6 supposed to be working ? Apparently kernel VTI is known to not work with IPv6 at all. The replacement kernel code (XFRMi interfaces) will address that. Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] roadwarrior connects but no data
On Fri, 5 Oct 2018, Johannes C. Schulz wrote: $ ip route default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100 xx.yyy.zzz.vv dev vti0 scope link I don't see a src entry here. If the source ip is not the default IP, then you're in trouble because it would use the wrong source ip to route into the VTI device, and then not match the IPsec policy. You can see problems like this by checking the errors counters in /proc/net/xfrm_stat Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan-dev] simple setup
On Fri, 5 Oct 2018, Kim B. Heino wrote: All those "~" must be changed to "$HOME". I don't have the power to do that. Somebody please fix? Someone did. I agree the certificate generation stuff is not user friendly, which is why we did the webgui thing. I'm still waiting on the packages so I can test it out on centos/rhel/fedora :) Paul ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] simple setup
> To be at feature-parity with WireGuard, we don't need to interoperate. > Simple(!!!) libreswan to libreswan is what is required. I agree totally here. I tried to copy-paste commands from that "VPN server for remote clients using IKEv2" page, it doesn't work: - # certutil -N -d sql:~/tmpdb/ certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. # mkdir tmpdb # certutil -N -d sql:~/tmpdb/ certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. # certutil -N -d sql:$HOME/tmpdb/ Enter a password which will be used to encrypt your keys. - All those "~" must be changed to "$HOME". I don't have the power to do that. Somebody please fix? ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] simple setup
On Fri, 5 Oct 2018, D. Hugh Redelmeier wrote: To be at feature-parity with WireGuard, we don't need to interoperate. Simple(!!!) libreswan to libreswan is what is required. The Wireguard is feature is not having features. They will grow their warts later on in life. Did I say "simple" often enough? We could surely create an interactive cmdline tool that generates an /etc/ipsec.d/example.conf file for them. We did create a webgui tool for a Remote Access VPN which we are polishing up now for release. I agree with Kim that our website is more sysadmin focused then enduser focused and we can improve there. That's a topic for next week's devel meeting :) Paul ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] simple setup
| From: Paul Wouters | Sure. We need support for .mobileconfig support so people can just | import that on Linux as well as Apple devices. I don't know how to | create a "profile" for Windows. I would be nice if we could do that | too. Fine. But that isn't what I asked for. To be at feature-parity with WireGuard, we don't need to interoperate. Simple(!!!) libreswan to libreswan is what is required. Any bonus features should be separate and later so that they don't interfere with the simplicity. Did I say "simple" often enough? It's got to be simple. Its got to look simple to someone who knows nothing about this stuff. It's almost an advertisement, but one that actually is useful and informative. It's got to be as simple as WireGuard. Simpler that WireGuard would be a big bonus. Sadly, I think that there need to be "field notes" to trouble-shoot first-time bring-up. That's way more important that talking about added features. Lots of people have trouble getting this stuff working in the most basic way and end up giving up, scarred for life. If our diagnostics make debugging such a simple setup hard, we ought to look closely at making this easier. Perhaps we need a bring-up mode that is more helpful. Perhaps we need a tool that automates some of the debugging. ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] simple setup
On Fri, 5 Oct 2018, Kim B. Heino wrote: https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 Problems with that page, when comparing to wireguard/openvpn setup guides: - too long - looks way too complex - looks scary ("change registry key or it's insecure!!!") - hard to find: first time users don't know what IKEv1 vs v2 vs split vs XAUTH means Sure. We need support for .mobileconfig support so people can just import that on Linux as well as Apple devices. I don't know how to create a "profile" for Windows. I would be nice if we could do that too. Paul ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] simple setup
> > I keep seeing people, in various venues, saying that wireshark is > > wonderful. Same is also true for openvpn vs libreswan. > > Paul (or anyone else): can you create simple instructions for > > setting up a VPN that has feature-parity with Wireshark? > > https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 Problems with that page, when comparing to wireguard/openvpn setup guides: - too long - looks way too complex - looks scary ("change registry key or it's insecure!!!") - hard to find: first time users don't know what IKEv1 vs v2 vs split vs XAUTH means ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan] roadwarrior connects but no data
Hi Paul Thanks for your answer. But sadly, this did not help. $ ip route default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100 xx.yyy.zzz.vv dev vti0 scope link 169.254.0.0/16 dev enp0s12u2 scope link metric 1000 192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91 metric 100 $ route Kernel-IP-Routentabelle ZielRouter Genmask Flags Metric RefUse Iface default _gateway0.0.0.0 UG10000 enp0s12u2 .dip0. 0.0.0.0 255.255.255.255 UH0 00 vti0 link-local 0.0.0.0 255.255.0.0 U 1000 00 enp0s12u2 192.168.42.00.0.0.0 255.255.255.0 U 10000 enp0s12u2 192.168.42.x is the clients network xx.yyy.zzz.vv is internet-ip of remote network behind some domain 192.168.92.x is the remote network I want to access Whats wrong with my config? Best regards Johannes Am Do., 4. Okt. 2018 um 16:50 Uhr schrieb Paul Wouters : > On Thu, 4 Oct 2018, Johannes C. Schulz wrote: > > > Hello LibreSwan community!It was a long way to get my libreswan > connecting to a vpn-server (which is actually a dsl-router from bintec). > The server accepts IPsec IKEv1 > > connection with PSK. I can connect, but there is no traffic through the > tunnel. > > The problem must be on roadwarriors-side, because I can connect and > transfer data through the tunnel if I connect with a windows machine to the > vpn-server (using > > ShrewSoft). > > > > I wrote this config: > > > > config setup > > protostack = netkey > > > > conn Office1 > > authby = secret > > right = some.domain.tld > > rightid = @Office_admin > > rightnexthop= %defaultroute > > left= 192.168.42.91 > > leftsubnet = 192.168.92.0/24 > > leftvti = 192.168.92.234/24 > > leftid = @Office > > keyexchange = ike > > ike = aes256-sha2;modp2048 > > esp = aes256-sha2;modp2048 > > ikelifetime = 4h > > keylife = 8h > > auto= add > > aggrmode= yes > > vti-interface = vti0 > > vti-routing = yes > > mark= 5/0x > > Try adding sha2_truncbug=yes and see if that fixes your issue. The > router might be doing "broken linux compatibility" mode by default. > > > netstat -r -n > > Kernel-IP-Routentabelle > > ZielRouter Genmask Flags MSS Fenster irtt > Iface > > 0.0.0.0 192.168.42.129 0.0.0.0 UG0 0 0 > enp0s12u2 > > xx.yyy.zzz.vv 0.0.0.0 255.255.255.255 UH0 0 0 > vti0 > > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 > enp0s12u2 > > 192.168.42.00.0.0.0 255.255.255.0 U 0 0 0 > enp0s12u2 > > 192.168.92.00.0.0.0 255.255.255.0 U 0 0 0 > vti0 > > What does "ip route" say. It is important to see if you got the proper > route into the VTI interface. I assume xx.yyy.zzz.vv is some.domain.tld's > IP ? > > > ping 192.168.92.10 > > PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data. > > From 192.168.92.234 icmp_seq=1 Destination Host Unreachable > > Is this in the remote end? because you defined that to be on your end? > > Paul > -- Viele Grüße Johannes C. Schulz „*Programmer - n. [proh-gram-er] an organism that turns caffeine and pizza into software“* ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan