Re: [Swan] LibreSwan with NetworkManger

Thu, 07 Aug 2014 00:28:18 -0700

It does rather look like Networkmanager is trying to use a PSK, but the other thing is if you use aggressive mode (which it looks like you are receiving) you must specify ike and phase2alg as they are not negoiated. 

Nick

On 2014-08-07 06:57, Gareth Williams wrote:

I've been trying to get LibreSwan (on a CentOS 7 server) to work with
NetworkManager (on Fedora 20 as a road-warrior) for the last week or
so and have failed.

/etc/ipsec.conf' on the left/server side is:-

config setup

#    virtual_private=%v4:10.7.0.0/24,%v4:192.168.0.0/8
#    nat_traversal=yes

conn xauth-rsa
#    aggrmode=yes
    authby=rsasig
    auto=add
    pfs=no
    rekey=no
    left=178.62.53.49
    leftcert=LibreSwan
    leftid=%fromcert
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    rightaddresspool=10.7.0.2-10.7.0.10
    right=%any
    rightrsasigkey=%cert
    modecfgdns1=8.8.8.8
    leftxauthserver=yes
    rightxauthclient=yes
    leftmodecfgserver=yes
    rightmodecfgclient=yes
    modecfgpull=yes
    xauthby=pam
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    ike_frag=yes

which I got from:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
(para 4.7.8)

On NetworkManager's openSwan config, I've got the defaults, with the
addition of:

Gateway = <my server's hostname>
Group Name = <I don't know what goes here, but I have to put something>
User Password = <the PAM password for me as known by the server>
Group Password = Not Required
Username = <my username on the server>

I switch off the firewall on the server when I try to connect for now
and this is what I receive when I follow the logs with `journalctl -fu
ipsec`:

-- Logs begin at Thu 2014-08-07 06:24:21 BST. --
Aug 07 06:52:55 <my FQDN> pluto[11098]: listening for IKE messages
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface tun0/tun0 10.8.0.1:500 
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface eth0/eth0
178.62.53.49:500
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface lo/lo 127.0.0.1:500 
Aug 07 06:52:55 <my FQDN> pluto[11098]: adding interface lo/lo ::1:500
Aug 07 06:52:55 <my FQDN> pluto[11098]: loading secrets from
"/etc/ipsec.secrets"
Aug 07 06:52:55 <my FQDN> pluto[11098]: no secrets filename matched
"/etc/ipsec.d/*.secrets"
Aug 07 06:52:55 <my FQDN> pluto[11098]: loaded private key for keyid:
PPK_RSA:AwEAAb0fm
Aug 07 06:52:56 <my FQDN> pluto[11098]: loading certificate from LibreSwan Aug 07 06:52:56 <my FQDN> pluto[11098]: added connection description "xauth-rsa" 
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
received Vendor ID payload [Dead Peer Detection]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring received Vendor ID payload [RFC 3947] method=RFC 3947
(NAT-Traversal), because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring Vendor ID payload [RFC 3947]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
method=draft-ietf-ipsec-nat-t-ike-02/03, because port floating is off
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
received Vendor ID payload [XAUTH]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
received Vendor ID payload [FRAGMENTATION]
Aug 07 06:53:03 <my FQDN> pluto[11098]: packet from x.y.77.197:500:
initial Aggressive Mode message from x.y.77.197 but no (wildcard)
connection has been configured with policy=PSK+XAUTH+AGGRESSIVE

I've tried to set the server to aggressive with `aggrmode=yes` but it
has no effect.

Am I correct in assuming that the PSK+XAUTH+AGGRESSIVE is what
NetworkManager is trying to connect by?  In which case, am I wasting
time trying to connect using X509 certs as per the website?

I've Googled until my eyes bleed, but can't find a guide on setting up
LibreSwan to work with NetwokManager.

Any assistance would be greatly appreciated.

Regards,

Gareth
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to