On Tue, 16 Sep 2014, Enrico Brunetta wrote:
I just successfully configured libreswan to use a PSK setup, but I’m having problems with the XAUTH and X509 certs setup. I’m trying to connect from OS X using Cisco VPN mode.
# add to /etc/ipsec.secrets: : RSA enrico @enrico : XAUTH “MyPassword”
That entry is only used for clients, not servers. For servers you need to decide how to authenticate. See man ipsec.conf for xauthby= If you want to use file based xauth passwords, you can use: touch /etc/ipsec.d/passwd chmod 600 /etc/ipsec.d/passwd htpasswd -d /etc/ipsec.d/passwd enrico
this is what I think I should add to /etc/ipsec.conf, but I’m not sure since it doesn’t seem to work.
I'm asuming you were describing the server side ipsec.conf (since you mention iphone/osx clients):
conn xauth-rsa connaddrfamily=ipv4 auto=add authby=rsasig pfs=no rekey=no leftxauthserver=yes rightxauthclient=yes left=172.31.28.183 leftcert=enrico
That leftcert should be the vpn server cert, not the client cert.
leftid=vpn.bitproductions.com leftsendcert=always leftnexthop=%defaultroute
should be able to leave out the leftnexthop.
leftsubnet=172.31.28.183/32
That should be 0.0.0.0/0
leftprotoport=17/1701 rightprotoport=17/%any
Remove these two. This is not L2TP anymore.
right=%any rightid=%fromcert rightrsasigkey=%cert rightsubnetwithin=0.0.0.0/0
You need rightaddresspool=172.31.48.130-172.31.48.254 instead of rightsubnetwithin.
forceencaps=yes
Should not be needed unless your servers is behind NAT in AWS. Looks like it might be though since it uses 172.31 IPs.
type=transport
Remove, this is not L2TP anymore.
xauthby=alwaysok
Or see above for file passwords. But if you have unique certificates, and you think that's enough, than you can use alwaysok.
ike_frag=yes dpddelay=30 dpdtimeout=120 dpdaction=clear I’m not really sure which cert I should use in leftcert: if I should use my cert (enrico). If so, it is my intention to support multiple road warriors, so I’m not sure if I should have a separate section in the confir for each user or if there’s a way to trust any cert signed by the root CA…
You need to create a certificate for the vpn server just like you generate certs for endusers. Be aware you should put the DNS name in the subjectAltname= field for OSX/iOS to be happy. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
