Hi,
This diff seems to fix the syntax error issue:
diff --git a/programs/_updown.xfrm/_updown.xfrm.in
b/programs/_updown.xfrm/_updown.xfrm.in
index 9aab61dc1fe7..edf3b8696cee 100644
--- a/programs/_updown.xfrm/_updown.xfrm.in
+++ b/programs/_updown.xfrm/_updown.xfrm.in
@@ -502,7 +502,7 @@ addsource() {
return ${st}
fi
# XFRMi interface IPs are managed in Pluto
- if [ "${PLUTO_XFRMI_ROUTE}" == "yes" ]; then
+ if [ "${PLUTO_XFRMI_ROUTE}" = "yes" ]; then
return ${st}
fi
@@ -542,7 +542,7 @@ delsource() {
return ${st}
fi
# XFRMi interface IPs are managed in Pluto
- if [ "${PLUTO_XFRMI_ROUTE}" == "yes" ]; then
+ if [ "${PLUTO_XFRMI_ROUTE}" = "yes" ]; then
return ${st}
fi
git blame gives commit 32c87516189f6 and 32c87516189f6 as the cause of the
problem.
About the
up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create
/etc/resolv.conf: Permission denied
I don't have a clue.
Now I get a different output:
$ sudo ipsec up grf
181 "grf"[1] 161.53.83.3 #1: initiating IKEv2 connection
181 "grf"[1] 161.53.83.3 #1: sent IKE_SA_INIT request to 161.53.83.3:500
182 "grf"[1] 161.53.83.3 #1: sent IKE_AUTH request {cipher=AES_GCM_16_256
integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "grf"[1] 161.53.83.3 #1: initiator established IKE SA; authenticated peer
'4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate
'@magrf-ipv4.grf.hr' issued by CA 'CN=GRF-UNIZG CA, O=GRF-UNIZG'
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_ADDRESS 192.168.100.10
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 10.0.0.101
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 1.0.0.1
002 "grf"[1] 161.53.83.3 #2: up-client output: updating resolvconf
002 "grf"[1] 161.53.83.3 #2: up-client output:
/usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create /etc/resolv.conf: Permission
denied
004 "grf"[1] 161.53.83.3 #2: initiator established Child SA using #1; IPsec tunnel
[192.168.100.10-192.168.100.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0]
{ESPinUDP/ESN=>0x4ef1e1f7 <0x36c8942c xfrm=AES_GCM_16_256-NONE NATD=161.53.83.3:4500
DPD=passive}
$
I am using the latest github version commit 0bb82894c7a0.
Best regards,
Mirsad Todorovac
On 11/1/23 18:42, Mirsad Todorovac wrote:
Hi all,
I have figured out how to connect from my Jammy Ubuntu 22.04 box to VPN
libreswan server on Debian 11.
But there are problems with connectivity. Though I can search on Google, some
sites time out.
marvin@defiant:~/build/libreswan/libreswan$ sudo ipsec auto --up grf
WARNING: ipsec auto has been deprecated
181 "grf"[1] 161.53.83.3 #1: initiating IKEv2 connection
181 "grf"[1] 161.53.83.3 #1: sent IKE_SA_INIT request to 161.53.83.3:500
182 "grf"[1] 161.53.83.3 #1: sent IKE_AUTH request {cipher=AES_GCM_16_256
integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "grf"[1] 161.53.83.3 #1: initiator established IKE SA; authenticated peer
'4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate
'@magrf-ipv4.grf.hr' issued by CA 'CN=GRF-UNIZG CA, O=GRF-UNIZG'
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_ADDRESS 192.168.100.10
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 10.0.0.101
002 "grf"[1] 161.53.83.3 #2: received INTERNAL_IP4_DNS 1.0.0.1
002 "grf"[1] 161.53.83.3 #2: route-client output:
/usr/local/libexec/ipsec/_updown.xfrm: 505: [: unexpected operator
002 "grf"[1] 161.53.83.3 #2: up-client output: updating resolvconf
002 "grf"[1] 161.53.83.3 #2: up-client output:
/usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create /etc/resolv.conf: Permission
denied
002 "grf"[1] 161.53.83.3 #2: up-client output:
/usr/local/libexec/ipsec/_updown.xfrm: 505: [: unexpected operator
004 "grf"[1] 161.53.83.3 #2: initiator established Child SA using #1; IPsec tunnel
[192.168.100.10-192.168.100.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0]
{ESPinUDP/ESN=>0xc3d799c1 <0x590a2b78 xfrm=AES_GCM_16_256-NONE NATD=161.53.83.3:4500
DPD=passive}
/etc/resolv.conf is the link:
$ ls -ld /etc/resolv.conf
lrwxrwxrwx 1 root root 39 May 3 21:28 /etc/resolv.conf ->
../run/systemd/resolve/stub-resolv.conf
$ sudo lsattr /run/systemd/resolve/stub-resolv.conf
---------------------- /run/systemd/resolve/stub-resolv.conf
$
The VPN server side is:
/etc/ipsec.d/ikev2.conf:
------------------------
conn MYCONN-ikev2-cp
# The server's actual IP goes here - not elastic IPs
left=161.53.83.3
leftcert="magrf-ipv4.grf.hr 2023"
leftid=@magrf-ipv4.grf.hr
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if providing full
internet to clients
rightaddresspool=192.168.100.10-192.168.100.253
# optional rightid with restrictions
# rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns=10.0.0.101,1.0.0.1
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=8.8.8.8
#modecfgdns2=193.110.157.123
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
# Set ikelifetime and keylife to same defaults windows has
# ikelifetime=8h
# keylife=2h
ms-dh-downgrade=yes
mobike=yes
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
#
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
# optional PAM username verification (eg to implement bandwidth quota
pam-authorize=yes
authby=rsa
hostaddrfamily=ipv4
clientaddrfamily=ipv4
The client side is:
conn grf
left=%defaultroute
leftcert="home-pc-mtodorov.grf.hr 2023"
leftid=%fromcert
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
right=magrf-ipv4.grf.hr
rightsubnet=0.0.0.0/0
rightid=@magrf-ipv4.grf.hr
rightrsasigkey=%cert
narrowing=yes
ikev2=insist
rekey=yes
fragmentation=yes
mobike=no
auto=add
Many thanks for help.
Best regards,
Mirsad Todorovac
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
