[Swan] network-manager-libreswan and /etc/ipsec.d/passwd

Sun, 07 Jan 2018 22:44:29 -0800 

Hi Gurus,
I made it my mission this weekend to figure out how to get network manager on ubuntu to connect to a libreswan server, since the network-manager-libreswan isn't available in repos yet. I did meet with success, but I had to set the xauthfail=soft to bypass the passwd file. 


As I understand it, the network-manager-libreswan only supports 
xauth+ikev1+psk, so I configured my system as per the libreswan wiki. 
but every thing I tried met with failed authentication from the passwd 
file, specifically the log records bad username or passwd.



I used htpasswd utility to create the file.  I appended :rw-xauth-psk as 
derived by the conn name in ipsec.conf to the line.  I used the htpasswd 
-v utility (without the :rw-xauth-psk appended) to verify that it works. 
 file owned by root:root, chmod 640 just in case there is some 
permission restriction I didn't find documented.


I am not clear where the problem here could be.


The wiki explicity says the htpasswd can not be used to create the 
passwd file, but I found a mailing list post from a few months ago that 
says to use it, and my hash begins with $apr1$ as that example does. 
that post also suggests using grub-md5-crypt, but that program is not 
available on my system, and is only available through grub-legacy, which 
is a can of worms I didn't particularly want to argue with.



I also do not find any tools within libreswan to verify a password 
against the file.



I am also not 100% sure that the network manager is even sending the 
password, though the server log does indicate it is sending the correct 
username.  client side logs say cisco password is received, so 
presumably that means it dug it up and sent it, but doesn't explicitly 
say it sent it.


Based on another suggestion I found, I also tried putting:

@user: XAUTH "pass"


in my ipsec.secrets and removing the passwd file, but then logs 
complained the passwd file did not exist.


Also upgraded to latest 3.22.


So thinking I am overlooking something, must have failed to read 
something?  Any hints would be appreciated...

--
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
www.computerisms.ca
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to