On Tue, 16 Sep 2014, Enrico Brunetta wrote:
You say leftcert should be the vpn server cert and not my own cert, so I went
ahead and created a cert for the server.
Now is the server cert the one I need to export and then import on my Mac
system keychain to then use on the Cisco VPN connection setting, or should that
be my own cert (enrico) ?
No you should import your enrico cert on the mac. Remember to both
import the p12 file and the cacert.pem separately - OSX/iOS is stupid
like that.
Sep 17 00:17:01 ip-172-31-48-104 pluto[2266]: packet from 70.117.100.63:500:
received Vendor ID payload [Dead Peer Detection]
Sep 17 00:17:01 ip-172-31-48-104 pluto[2266]: packet from 70.117.100.63:500:
initial Main Mode message received on 172.31.48.104:500 but no connection has
been authorized with policy=RSASIG+XAUTH
with this new ipsec.conf file:
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.31.48.129/25
oe=off
protostack=netkey
nhelpers=0
interfaces=%defaultroute
conn xauth-rsa
connaddrfamily=ipv4
auto=add
authby=rsasig
pfs=no
rekey=no
leftxauthserver=yes
rightxauthclient=yes
left=172.31.28.183
leftcert=vpn.bitproductions.com
leftid=vpn.bitproductions.com
you most likely mean [email protected]
leftsendcert=always
# leftnexthop=%defaultroute
leftsubnet=0.0.0.0/0
right=%any
rightid=%fromcert
rightrsasigkey=%cert
rightaddresspool=172.31.48.130-172.31.48.254
forceencaps=yes
xauthfail=soft
xauthby=alwaysok
ike_frag=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
You are missing modecfgpull=yes. See
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH
Did your connection load? run ipsec auto --add xauth-rsa
Did your certificates load? run ipsec auto --listall and look for the
CAcert and the vpn.bitproductions.com cert.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan