Re: [Swan] Need help connecting a TPLink Archer D9 to a Ubuntu libreswan ipsec server

Mon, 25 Jun 2018 16:17:44 -0700 

On 25/06/2018 3:12 AM, Paul Wouters wrote:

Thanks for the most helpful reply Paul


On Sun, 24 Jun 2018, Lindsay Mathieson wrote:
Trying to get a subnet<->subnet vpn between work and my home Archer D9 router 

So I assume this goes across the internet?


Yup.




Work Internet : TPLink ER-5120  ADSL2+
- Static public ip on mycompany.com.au
- Internal subnet 192.168.5.0/24
- DMZ to Ubuntu server on 192.168.5.52

Home Internet:
- xDSL, Dynamic IP


You want left=%defaultroute to pickup your dynamic IP.


        leftsourceip=x.x.x.x
        right=192.168.5.52


You want right=mycompany.com.au  (or if it is a static IP put that in)


        ike=3des-md5;modp1024
        phase2alg=3des-md5;modp1024


Really should modernize these. Easiest is just leave out these two lines
and it will pick much better algorithms, like AES_GCM.
I did all those, but I still got the "no connection has been authorized with policy PSK+IKEV1_ALLOW" error :)
I ended up giving vpnscript a try (https://github.com/hwdsl2/setup-ipsec-vpn)
it downgraded my libreswan version from 3.23 to 3.22 and generate a conf that sort of worked for me. I was able to connect to work using my windows 10 vpn client and access all the work ip's. My router (Archer D9) connected successfully as well but I was only able to access the vpnserver ip (192.168.5.52). I need site wide access via the router so my VOIP phone can connect etc. 

To clarify the Setup:
Home:

 * PC, Phone => Router (Archer D9) => dynamic IP => Internet
 * 192.168.1.0/24

Work:

 * LibreSWAN VPN Server => Router => Static IP => Internet
     o NAT'd
     o DMZ
 * 192.168.5.0/24


Current semi-working config:

   config setup
      protostack=netkey

   conn shared
      left=192.168.5.52
      right=%any
      authby=secret
      pfs=no
      keyingtries=5
      dpddelay=30
      dpdtimeout=120
      dpdaction=clear
      sha2-truncbug=yes

   conn lindsay
            type=tunnel
            keyexchange = ike
            leftsubnet=192.168.5.0/24
            rightsubnet=192.168.1.0/24
            auto=add
            also=shared
The ipsec barf logs for connectioning via my router and connecting via the Win 10 VPN Client. I bolded what seems to be the crucial difference. 

Archer D9 Router - can only access the VPN server

   Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #1: responding to Main Mode from unknown peer 121.200.15.209 on port 500
   Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #1: STATE_MAIN_R1: sent MR1, expecting MI2
   Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #1: STATE_MAIN_R2: sent MR2, expecting MI3
   Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #1: Peer ID is ID_IPV4_ADDR: '121.200.15.209'
   Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
   {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
   Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #1:*the peer proposed: 192.168.5.0/24:0/0 -> 192.168.1.0/24:0/0*
   Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #2: responding to Quick Mode proposal {msgid:ca4007d5}
   Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #2:     us: 192.168.5.0/24===192.168.5.52<192.168.5.52>
   Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #2:   them: 121.200.15.209===192.168.1.0/24
   Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
   QI2 tunnel mode {ESP=>0x0cf4a7f6 <0x658875c9
   xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
   Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
   #2: STATE_QUICK_R2: IPsec SA established tunnel mode
   {ESP=>0x0cf4a7f6 <0x658875c9 xfrm=AES_CBC_256-HMAC_SHA1_96
   NATOA=none NATD=none DPD=active}
   + _________________________ date



MS Win 10 VPn Client - can access entire work subnet

   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1] 121.200.15.209
   #1: responding to Main Mode from unknown peer 121.200.15.209 on port 1
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1] 121.200.15.209
   #1: STATE_MAIN_R1: sent MR1, expecting MI2
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1] 121.200.15.209
   #1: STATE_MAIN_R2: sent MR2, expecting MI3
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1] 121.200.15.209
   #1: Peer ID is ID_IPV4_ADDR: '192.168.1.108'
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1] 121.200.15.209
   #1: switched from "lindsay"[1] 121.200.15.209 to "lindsay"
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #1: deleting connection "lindsay"[1] 121.200.15.209 instance with
   peer 121.200.15.209 {isakmp=#0/ipsec=#0}
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #1: Peer ID is ID_IPV4_ADDR: '192.168.1.108'
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
   {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=DH20}
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #1: Configured DPD (RFC 3706) support not enabled because remote
   peer did not advertise DPD support
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #1: *the peer proposed: 203.206.171.213/32:0/0 -> 192.168.1.108/32:0/0*
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #1: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #2: responding to Quick Mode proposal {msgid:01000000}
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #2:     us: 192.168.5.0/24===192.168.5.52<192.168.5.52>
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #2:   them: 121.200.15.209[192.168.1.108]===192.168.1.0/24
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
   QI2 tunnel mode {ESP/NAT=>0x1d018784 <0xcfc05dd4
   xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.108
   NATD=121.200.15.209:4500 DPD=active}
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #2: Configured DPD (RFC 3706) support not enabled because remote
   peer did not advertise DPD support
   Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
   #2: STATE_QUICK_R2: IPsec SA established tunnel mode
   {ESP/NAT=>0x1d018784 <0xcfc05dd4 xfrm=AES_CBC_256-HMAC_SHA1_96
   NATOA=192.168.1.108 NATD=121.200.15.209:4500 DPD=active}
Any suggestions as to how I can expand the router connection to the entire work subnet? 

Thanks.

--
Lindsay


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to