Hi students,
I thought it would be a good idea to give students the opportunity to configure libreswan to run against a known working VPN server (also libreswan). It will also allow me to test a recent munin statistics plugin, so you will actually be helping me by trying to configure your libreswan client against my server. The server is vpn.nohats.ca. It uses IKEv2 with certificates as documented at: https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 You will need a PKCS#12 certificate to connect to this server. You can find out how to import this certificate into libreswan at: https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan Just email me (offlist) to ask for a certificate and I'll email one back. The certificate can also be used on iOS/OSX and Windows, and on Android when using the strongswan ipsec client. If you are using iOS/OSX, I can also give you a .mobileconfig file. My recommendation is to configure libreswan on a linux machine, so that it works for the connection to vpn.nohats.ca. If you enable plutodebug=all in /etc/ipsec.conf, you will get a huge amount of debugging information that gives you an idea of what is involved in starting a tunnel. It is okay if your ipsec client is behind NAT. You can also play with tcpdump to see how this actually looks like. Another option you can use to gain some experience is to configure Opportunistic IPsec using LetsEncrypt. See: https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec_using_LetsEncrypt For all IPsec connections, you can use "ipsec whack --trafficstatus" to see if it is working as expected. Or you can run "ipsec status" to get a developer's view of the libreswan IKE daemon pluto's internal states. Over the next couple of days, I will also file a number of small bugs that might be good small exercises to get familiar with the code. If you have any questions, please ask on the list so that answers can be shared with all students. Or check the #swan irc channel on FreeNode. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
