For the CA, I understand the extra security in keeping it stored outside
the ipsec directory, but is it required? I only ask as this CA is only
to be used by home VPN and if I ever have to wipe and reload I would not
mind no care to recreating.
I thought I had remove the -sport from the iptables commands. My mistake
there.
As for the forward. That is just the default one place by the OS. I have
not gotten that far in setting up the firewall as I was still trying
trying to get a connection to the server established. I know I would
have to remove line and add in something like:
iptables -t nat -I POSTROUTING -s 172.16.2.0/24 -d 192.168.9.0/24 -j
RETURN
iptables -t nat -A POSTROUTING -s 172.16.2.0/24 -d 0.0.0.0/8 -j
MASQUERADE
I also forgot to include in the original email. That when using Main
mode I do not see any connection attempts at all in the server and even
tired it with iptables shutdown. With or without iptables turned on when
in Main Mode i see the requests coming in via TCPDUMP, but libreswan
doesn't seem to register them. Only in Aggressive mode does libreswan
notice the connection.
11:11:21.187284 IP <client_host>.isakmp > <server_host>.isakmp: isakmp:
phase 1 I ident
aggressive=yes also did not seem to be a valid option. So i looked at
the ipsec.conf.5 manual and saw aggrmode was the parameter name. However
when I reading through the wiki for libreswan for the type of connection
i wanted to use. They only used the aggrmode on the client side and not
the server side.
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates
Whats funny about the line you point out. When you look at the out of
`ipsec status` you can see:
000 "xauth-rsa": policy:
RSASIG+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
------ Original Message ------
From: "Paul Wouters" <[email protected]>
To: "Glenn Sams" <[email protected]>
Cc: [email protected]
Sent: 11/14/2017 11:56:17 PM
Subject: Re: [Swan] Problems with Initial Configuration
On Tue, 14 Nov 2017, Glenn Sams wrote:
I've been attempting to get libreswan up and running on my home
server. This was my first time setting up libreswan. I tired
reading through a few different tutorials, but I could not get a
client to connect.
I started by creating my CA
# ipsec initnss
# certutil -S -x -n "MyHome" -s "O=VPN,CN=MyHome" -k rsa -g 4096
-v 36 -d sql:/etc/ipsec.d -t "CT,," -2
I recommend keeping your CA outside of your ipsec nss store. So your
"CA
store" generates a pkcs12 file and you only "ipsec import" the pkcs12
file into libreswan.
conn xauth-rsa
authby=rsasig
pfs=no
auto=add
rekey=no
left=MyHome
leftcert=MyHome
leftid=%fromcert
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightca=%same
rightaddresspool=172.16.2.1-172.16.2.254
modecfgdns1=192.168.9.23
modecfgdns2=8.8.8.8
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=pam
ike-frag=yes
Now from here I went in and setup a new ShrewSoft Connection on my
laptop (using the MYCA.crt for the Server Certificate Authority
Field). I hot spotted to my cell phone so i wasn't testing on the same
network as the server (which I've done to connect to the
work Cisco ASA). Clicked Connect and after a few seconds I got a
timeout warning. So I doubled checked my iptables and I do have
the ports (I know I have not set the nating, but i have not gotten
that far yet):
-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
Note you should allo any port to dport udp 500/4500 due to NAT boxes
changing the source port.
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 4500 --dport 4500 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
If you are a gateway between remote node and a local LAN, then
you need to FORWARD the post-decrypt and pre-encrypt packets,
so this rule is too tight.
I then looked at the /var/log/pluto.log file and saw this
https://pastebin.com/4cRJS1Df (given the length of the log file i just
Nov 14 15:35:41: packet from <client_ip>:500: initial Aggressive Mode
message from <client_ip> but no (wildcard) connection has been
configured with policy AGGRESSIVE+IKEV1_ALLOW
You are using Main Mode but the client is using Aggressive Mode. You
can
disable aggressive mode on the client, or enable it on the server
(aggressive=yes). It gives you a little more privacy to NOT use
aggressive mode.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
