Thanks Paul. Since this was my first post, I should be posting more details, but finally I got it working after posting on the mailing list My setup -> IPSEC L2TP/ PSK, so it doesn't need narrowing. For the server side I used the post https://github.com/hwdsl2/setup-ipsec-vpn which automates the setup for AWS, this is a great post for a newbie which does all setup and gives u the PSK/Username/Password and IP to connect.
Mistake I did was while starting and adding the connection I was suing the openswan steps, right steps that I used are: 1)ADD connection ~# ipsec addconn myvpn 002 "myvpn": deleting non-instance connection 002 added connection description "myvpn" 2) Restart the ipsec and xl2tp connection :~# /etc/init.d/ipsec restart [ ok ] Restarting ipsec (via systemctl): ipsec.service. # /etc/init.d/xl2tpd restart [ ok ] Restarting xl2tpd (via systemctl): xl2tpd.service. 3) Start the IPSEC L2TP -PSK connection # ipsec auto --start myvpn 4) Now we have to add adaptor using xl2tp for PPP to be up and you get an IP echo "c myvpn" > /var/run/xl2tpd/l2tp-control This finally gave me the right PPP with right local IP. It would be a great help if wiki is update with both side config and how to start the client side connection. I was referring to your slide deck at https://datatracker.ietf.org/meeting/interim-2017-i2nsf-01/materials/slides-interim-2017-i2nsf-01-sessa-ipsec-vpn-deployments-paul-wouters/ Where you mentioned about following, do we have a sample config on both which I could test. I am doing on my embedded ARM gateway with integrated MODEM. - FULL MESH ENCRYPTION - OPPORTUNISTIC IPSEC GATEWAY PK On Thu, Oct 26, 2017 at 7:07 PM, Paul Wouters <[email protected]> wrote: > On Thu, 26 Oct 2017, Priyank Kumar wrote: > > HiFirst post, I setup the libreswan on my AWS instance and able to connect >> to it using my android phone. I couldnt get any tutorial on how to setup on >> Linux >> client side, after harvesting the net I tried following configuration. >> > > Did you setup IPsec/L2TP or IKEv2 or IKEv1 XAUTH (Cisco IPsec) ? > > * My AWS side VPN server works fine with my phone, so I dont suspect that >> >> Issue 1: if the Linux PC side conf file has narrowing = no, then it gives >> error "myvpn": cannot initiate connection with narrowing=no and >> (kind=CK_TEMPLATE) >> Issue 2: There is no clear instruction how to start the VPN client, I am >> using >> ipsec auto --up myvpn or ipsec auto --start myvpn (this shows sometime >> success) >> Issue 3: If I do narrowing = yes, it fails by >> > > Narrowing is only used for the ikev2 configuration. > > # Linux PC (Client side) >> /etc/ipsec.d/myvpn.conf >> conn myvpn >> left=%defaultroute >> right=<MyServerIP> >> narrowing=no >> encapsulation=yes >> authby=secret >> pfs=no >> rekey=no >> keyingtries=5 >> dpddelay=30 >> dpdtimeout=120 >> dpdaction=clear >> ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2, >> aes-sha2;modp1024,aes256-sha2_512 >> phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 >> sha2-truncbug=yes >> auto=add >> leftprotoport=17/1701 >> rightprotoport=17/1701 >> type=transport >> phase2=esp >> > > This looks like L2TP/IPsec, so do not use narrowing then. > > Do not use encpasulation= unless you need to override things normally > auto-detected. > > > #AWS VPN server side conf file, this works with Android phone >> >> cat /etc/ipsec.conf >> >> version 2.0 >> >> >> config setup >> >> virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.1 >> 6.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24 >> >> protostack=netkey >> >> nhelpers=0 >> >> interfaces=%defaultroute >> >> uniqueids=no >> >> >> conn shared >> >> left=%defaultroute >> >> leftid=<ServerIP> >> >> right=%any >> >> encapsulation=yes >> >> authby=secret >> >> pfs=no >> >> rekey=no >> >> keyingtries=5 >> >> dpddelay=30 >> >> dpdtimeout=120 >> >> dpdaction=clear >> >> ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2 >> ,aes-sha2;modp1024,aes256-sha2_512 >> >> phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 >> >> sha2-truncbug=yes >> >> >> conn l2tp-psk >> >> auto=add >> >> leftprotoport=17/1701 >> >> rightprotoport=17/%any >> >> type=transport >> >> phase2=esp >> >> also=shared >> >> >> conn xauth-psk >> >> auto=add >> >> leftsubnet=0.0.0.0/0 >> >> rightaddresspool=192.168.43.10-192.168.43.250 >> >> modecfgdns1=8.8.8.8 >> >> modecfgdns2=8.8.4.4 >> >> leftxauthserver=yes >> >> rightxauthclient=yes >> >> leftmodecfgserver=yes >> >> rightmodecfgclient=yes >> >> modecfgpull=yes >> >> xauthby=file >> >> ike-frag=yes >> >> ikev2=never >> >> cisco-unity=yes >> >> also=shared >> > > > You have defined both XAUTH and L2TP/IPsec. I would recommend settling > on one solution. And strongly recommend ditching L2TP since android, > iOS and Linux can do XAUTH/IPsec fine. > > For a client side config of XAUTH/IPsec, basically copy your server side > one. Or look at some of our testcases at > > https://github.com/libreswan/libreswan/blob/master/testing/p > luto/xauth-pluto-05/road.conf > > I'll update our wiki soon to include a proper xauth libreswan client > configuration. > > Paul > > >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
