[Swan] Problems with Initial Configuration

Tue, 14 Nov 2017 15:55:55 -0800 

Hello,
I've been attempting to get libreswan up and running on my home server. This was my first time setting up libreswan. I tired reading through a few different tutorials, but I could not get a client to connect. 

I started by creating my CA
    # ipsec initnss

    # certutil -S -x -n "MyHome" -s "O=VPN,CN=MyHome" -k rsa -g 4096 -v 
36 -d sql:/etc/ipsec.d -t "CT,," -2


I then exported out the public key for the CA
    # certutil -L -n "MyHome" -d sql:/etc/ipsec.d/ -a > MYCA.crt

Next I setup my ipsec config:
# libreswan /etc/ipsec.conf configuration file
config setup
  protostack=netkey

  
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24

  logfile=/var/log/pluto.log

conn xauth-rsa
    authby=rsasig
    pfs=no
    auto=add
    rekey=no
    left=MyHome
    leftcert=MyHome
    leftid=%fromcert
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightca=%same
    rightaddresspool=172.16.2.1-172.16.2.254
    modecfgdns1=192.168.9.23
    modecfgdns2=8.8.8.8
    leftxauthserver=yes
    rightxauthclient=yes
    leftmodecfgserver=yes
    rightmodecfgclient=yes
    modecfgpull=yes
    xauthby=pam
    ike-frag=yes



Now from here I went in and setup a new ShrewSoft Connection on my 
laptop (using the MYCA.crt for the Server Certificate Authority Field). 
I hot spotted to my cell phone so i wasn't testing on the same network 
as the server (which I've done to connect to the work Cisco ASA). 
Clicked Connect and after a few seconds I got a timeout warning.  So I 
doubled checked my iptables and I do have the ports (I know I have not 
set the nating, but i have not gotten that far yet):

-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 4500 --dport 4500 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT


I then looked at the /var/log/pluto.log file and saw this 
https://pastebin.com/4cRJS1Df (given the length of the log file i just 
put it in paste bin since I was unsure an attachment would go through).  
While looking through it i did notice "certificate not loaded for this 
end" but i'm not sure if that is the cause of the problems or some other 
item. As the xauth-rsa configuration has been loaded yet at that point 
(if I understand the flow of the log file).




I've started over deleting all the configs and Certs several times. I am 
really unsure where along this path I actually messed up at. So i'm 
wondering if anyone sees anything i did wrong or could point me to some 
further documentation I can review.


Thank you

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to