On Tue, 16 Sep 2014, Enrico Brunetta wrote:

I just successfully configured libreswan to use a PSK setup, but I’m having 
problems with the XAUTH and X509 certs setup. I’m trying to connect from OS X 
using Cisco VPN mode.

# add to /etc/ipsec.secrets:
: RSA enrico
@enrico : XAUTH “MyPassword”

That entry is only used for clients, not servers. For servers you need
to decide how to authenticate. See man ipsec.conf for xauthby=

If you want to use file based xauth passwords, you can use:

touch /etc/ipsec.d/passwd
chmod 600 /etc/ipsec.d/passwd
htpasswd -d /etc/ipsec.d/passwd enrico

this is what I think I should add to /etc/ipsec.conf, but I’m not sure since it 
doesn’t seem to work.

I'm asuming you were describing the server side ipsec.conf (since you
mention iphone/osx clients):

conn xauth-rsa
 connaddrfamily=ipv4
 auto=add
 authby=rsasig
 pfs=no
 rekey=no
 leftxauthserver=yes
 rightxauthclient=yes
 left=172.31.28.183
 leftcert=enrico

That leftcert should be the vpn server cert, not the client cert.

 leftid=vpn.bitproductions.com
 leftsendcert=always
 leftnexthop=%defaultroute

should be able to leave out the leftnexthop.

 leftsubnet=172.31.28.183/32

That should be 0.0.0.0/0

 leftprotoport=17/1701
 rightprotoport=17/%any

Remove these two. This is not L2TP anymore.

 right=%any
 rightid=%fromcert
 rightrsasigkey=%cert
 rightsubnetwithin=0.0.0.0/0

You need rightaddresspool=172.31.48.130-172.31.48.254 instead of
rightsubnetwithin.

 forceencaps=yes

Should not be needed unless your servers is behind NAT in AWS. Looks
like it might be though since it uses 172.31 IPs.

 type=transport

Remove, this is not L2TP anymore.

 xauthby=alwaysok

Or see above for file passwords. But if you have unique certificates,
and you think that's enough, than you can use alwaysok.

 ike_frag=yes
 dpddelay=30
 dpdtimeout=120
 dpdaction=clear

I’m not really sure which cert I should use in leftcert: if I should use my 
cert (enrico). If so, it is my intention to support multiple road warriors, so 
I’m not sure if I should have a separate section in the confir for each user or 
if there’s a way to trust any cert signed by the root CA…

You need to create a certificate for the vpn server just like you
generate certs for endusers. Be aware you should put the DNS name in the
subjectAltname= field for OSX/iOS to be happy.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to