Hello there, I just successfully configured libreswan to use a PSK setup, but I’m having problems with the XAUTH and X509 certs setup. I’m trying to connect from OS X using Cisco VPN mode.
Here’s what my successful configuration looks like using L2TP over IPSEC and PSK: /etc/ipsec.conf: version 2.0 config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.31.48.129/25 oe=off protostack=netkey nhelpers=0 interfaces=%defaultroute conn vpnpsk connaddrfamily=ipv4 auto=add left=$PRIVATE_IP leftid=$PUBLIC_IP leftsubnet=$PRIVATE_IP/32 leftnexthop=%defaultroute leftprotoport=17/1701 rightprotoport=17/%any right=%any rightsubnetwithin=0.0.0.0/0 forceencaps=yes authby=secret pfs=no type=transport auth=esp ike=3des-sha1,aes-sha1 phase2alg=3des-sha1,aes-sha1 rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear this is what I have on my /etc/xl2tpd/xl2tpd.conf: [global] port = 1701 ;debug avp = yes ;debug network = yes ;debug state = yes ;debug tunnel = yes [lns default] ip range = 172.31.48.130-172.31.48.254 local ip = 172.31.48.129 require chap = yes refuse pap = yes require authentication = yes name = l2tpd ;ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes this is my /etc/ppp/options.xl2tpd: ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp auth crtscts idle 1800 mtu 1280 mru 1280 lock lcp-echo-failure 10 lcp-echo-interval 60 connect-delay 5000 As I said with the configuration above, I’m able to connect to my VPN from my mac, using L2TP over IPSEC mode. All works great, and I can support multiple users. Now, here are the steps I tried to use to configure the XAUTH/NSS setup: # init nss ipsec initnss # create a root CA for VPN certs certutil -S -k rsa -n rootca -s "CN=bitProductions VPN Certification Authority, O=bitProductions Inc., L=Austin, ST=TX, C=US" -v 120 -d . -t "C,C,C" -x -d /etc/ipsec.d #create a cert for myself certutil -S -k rsa -c rootca -n enrico -s "CN=Enrico Brunetta (VPN), O=bitProductions Inc., L=Austin, ST=TX, C=US" -v 120 -t "u,u,u" -8 vpn.bitproductions.com -d /etc/ipsec.d #Export my cert (so I can use it on my mac) pk12util -o enrico.p12 -n enrico -d /etc/ipsec.d # add to /etc/ipsec.secrets: : RSA enrico @enrico : XAUTH “MyPassword” this is what I think I should add to /etc/ipsec.conf, but I’m not sure since it doesn’t seem to work. conn xauth-rsa connaddrfamily=ipv4 auto=add authby=rsasig pfs=no rekey=no leftxauthserver=yes rightxauthclient=yes left=172.31.28.183 leftcert=enrico leftid=vpn.bitproductions.com leftsendcert=always leftnexthop=%defaultroute leftsubnet=172.31.28.183/32 leftprotoport=17/1701 rightprotoport=17/%any right=%any rightid=%fromcert rightrsasigkey=%cert rightsubnetwithin=0.0.0.0/0 forceencaps=yes type=transport xauthby=alwaysok ike_frag=yes dpddelay=30 dpdtimeout=120 dpdaction=clear I’m not really sure which cert I should use in leftcert: if I should use my cert (enrico). If so, it is my intention to support multiple road warriors, so I’m not sure if I should have a separate section in the confir for each user or if there’s a way to trust any cert signed by the root CA… Any help would be greatly appreciated… Enrico. _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
