On Thu, 26 Oct 2017, Priyank Kumar wrote:
HiFirst post, I setup the libreswan on my AWS instance and able to connect to it using my android phone. I couldnt get any tutorial on how to setup on Linux client side, after harvesting the net I tried following configuration.
Did you setup IPsec/L2TP or IKEv2 or IKEv1 XAUTH (Cisco IPsec) ?
* My AWS side VPN server works fine with my phone, so I dont suspect that Issue 1: if the Linux PC side conf file has narrowing = no, then it gives error "myvpn": cannot initiate connection with narrowing=no and (kind=CK_TEMPLATE) Issue 2: There is no clear instruction how to start the VPN client, I am using ipsec auto --up myvpn or ipsec auto --start myvpn (this shows sometime success) Issue 3: If I do narrowing = yes, it fails by
Narrowing is only used for the ikev2 configuration.
# Linux PC (Client side) /etc/ipsec.d/myvpn.conf conn myvpn left=%defaultroute right=<MyServerIP> narrowing=no encapsulation=yes authby=secret pfs=no rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes auto=add leftprotoport=17/1701 rightprotoport=17/1701 type=transport phase2=esp
This looks like L2TP/IPsec, so do not use narrowing then. Do not use encpasulation= unless you need to override things normally auto-detected.
#AWS VPN server side conf file, this works with Android phone cat /etc/ipsec.conf version 2.0 config setup virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24 protostack=netkey nhelpers=0 interfaces=%defaultroute uniqueids=no conn shared left=%defaultroute leftid=<ServerIP> right=%any encapsulation=yes authby=secret pfs=no rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk auto=add leftprotoport=17/1701 rightprotoport=17/%any type=transport phase2=esp also=shared conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=192.168.43.10-192.168.43.250 modecfgdns1=8.8.8.8 modecfgdns2=8.8.4.4 leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes rightmodecfgclient=yes modecfgpull=yes xauthby=file ike-frag=yes ikev2=never cisco-unity=yes also=shared
You have defined both XAUTH and L2TP/IPsec. I would recommend settling on one solution. And strongly recommend ditching L2TP since android, iOS and Linux can do XAUTH/IPsec fine. For a client side config of XAUTH/IPsec, basically copy your server side one. Or look at some of our testcases at https://github.com/libreswan/libreswan/blob/master/testing/pluto/xauth-pluto-05/road.conf I'll update our wiki soon to include a proper xauth libreswan client configuration. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
