Hi, > >> How can I tell what type of cert I'm using? > > > > openssl x509 -noout -text -in /your/cert.pem > > If you used certutil to generate the certificate directly inside the NSS > database, you may have to export first, or use something like: > > certutil -L -d sql:/etc/ipsec.d -n your_cert_nickname
This is fedora32. It appears the NSS database is physically in /var/lib/ipsec/nss while the certificates I've been creating are stored in /etc/ipsec.d/*.db. What's the difference? Why does ipsec appear to use /var/lib/ipsec/nss while certutil uses /etc/ipsec.d? It's also not necessary to preface it with sql:. > >> This is with "plutodebug = all crypt". In addition to the > >> NO_PROPOSAL_CHOSEN messages, the highlights appear to include: > > I've given a quick look, and I don't have much more to add to Paul's > comment below (maybe "all crypt" is too much). I've gotten past that NO_PROPOSAL_CHOSEN error, or at least it's not producing it anymore. Are the references to 'vpn.example.com' just labels, or is it a host that has to resolve to an IP? https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 I think I screwed up the leftid setting in the config. It couldn't even find the config when I ran the following. Now it just reports it can't connect (presumably because it's a mobile worker with a dynamic IP). # ipsec auto --up ikev2-cp 029 "ikev2-cp": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE narrowing=yes) 036 "ikev2-cp": failed to initiate connection Now Windows is saying "IKE failed to find valid machine certificate. .... install a valid certificate" but I've rebuilt the entire thing, deleted the old certs and inserted a new pk12 cert as I've done before. This strongswan post appears to indicate that "Maybe Windows wants to do ECDSA and searches for such a certificate". Could that be the case here? https://wiki.strongswan.org/issues/3021 I've used the following two commands on the Windows side to build the connection: Add-VpnConnection -Name "ikev2-cp" -ServerAddress orion.example.com -TunnelType "Ikev2" -PassThru -Force -EncryptionLevel "Required" -AllUserConnection -AuthenticationMethod MachineCertificate Set-VpnConnectionipsecconfiguration -connectionname "ikev2-cp" -authenticationtransformconstants SHA256128 -ciphertransformconstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -Pfsgroup ECP384 -DHGroup Group14 -PassThru -Force Now trying to connect produces the following: Dec 29 21:08:37.408754: | found policy = ECDSA+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO (ikev2-cp) Dec 29 21:08:37.409050: | found connection: "ikev2-cp"[1] 192.168.1.35 with policy ECDSA+IKEV2_ALLOW Dec 29 21:12:44.610613: "ikev2-cp"[5] 192.168.1.35 #16: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048 Dec 29 21:12:44.613300: "ikev2-cp"[5] 192.168.1.35 #16: sent IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Then that's it. > > - uses right=192.168.1.35 or right=%any > > - uses authby=ecdsa or authby=rsa or authby=secret (or a combination > > thereof, or it is not set in which case the defaults would include rsa > > and/or rsa+ecdsa depending on the version of libreswan) > > - an ike= line that matches the remote client proposal list (or the > > client uses something that is not a default ike parameter when no ike= > > line is specified) I've tried combinations of all of those. Here's what I have now. Left is my libreswan server and right is my Win10 laptop. conn ikev2-cp left=68.195.111.42 leftcert=orion.example.com [email protected] leftsendcert=always leftsubnet=0.0.0.0/0 leftrsasigkey=%cert right=%any rightaddresspool=192.168.6.2-192.168.6.254 rightca=%same rightrsasigkey=%cert modecfgdns=8.8.8.8,193.100.157.123 narrowing=yes dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no authby=ecdsa fragmentation=yes _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
