On Sun, 12 Mar 2017, Brendan Kearney wrote:
i am looking to setup ipsec and have read a lot about what i am trying to do,
but still come up short. ultimately, i would like to have site-to-site
tunnels along with road warrior tunnels. i am not sure if this config will
run on a single libreswan instance, but have not found anything indicating it
will not work. can this be confirmed, as something that will work?
Yes that can work together. Just add different conn sections, and use
different IDs to make your life easiest.
i have an android device (running 4.4.2 kitkat), and libreswan 3.13.1 on
fedora 20 (soon to be updated), and cannot get a road warrior config working.
Note that android's native IPsec support uses racoon that only supports
IKEv1, and not IKEv2. Note also that android kernels all use a broken
version of SHA2_256 for IPsec.
It would be good if you can upgrade libreswan to 3.19. Since fedora
contains up to date libreswan's, simply updating your fedora machine
should get you a new enough libreswan.
i have NAT-T setup, and there does not seem to be any issues with getting the
traffic to the ipsec instance. it seem that i cannot get tunnel parameters
agreed upon, and phase 1 never completes. with the below in "android.conf",
i attempt to connect from my android device
conn android
#ikev2=insist
left=0.0.0.0
leftprotoport=17/%any
right=192.168.184.1
rightprotoport=17/1701
authby=secret
pfs=no
# use auto=start when done testing the tunnel
auto=add
To get android to connect, you need to give it an IP address. Either you
need to use IKEv1 XAUTH with addresspool= or you need to use L2TP/IPsec
where the l2tp/ppp layer will hand out an IP address.
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_PSK
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP
If you are using only one client, you can get away with hardcoding the
one IP address you want to hand out as a subnet/32.
in my logs, i see the below entries:
"android"[10] 192.168.24.133 #10: transition from state STATE_IKEv2_START to
state STATE_PARENT_R1
"android"[10] 192.168.24.133 #10: STATE_PARENT_R1: received v2I1, sent v2R1
{auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}
"android"[10] 192.168.24.133 #10: new NAT mapping for #10, was
192.168.24.133:500, now 192.168.24.133:60500
"android"[10] 192.168.24.133 #10: new NAT mapping for #10, was
192.168.24.133:60500, now 192.168.24.133:64500
"android"[10] 192.168.24.133 #10: IKEv2 mode peer ID is ID_USER_FQDN:
'[email protected]' | CHILD SA proposals received |
I'm a little confused, as I am seeing IKEv2 and not IKEv1. Are you using
the strongswan client on android? In that case, you want to look at:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
