[prev in list] [next in list] [prev in thread] [next in thread]
List: libreswan
Subject: Re: [Swan] Need help connecting a TPLink Archer D9 to a Ubuntu libreswan ipsec server
From: Lindsay Mathieson <lindsay.mathieson () gmail ! com>
Date: 2018-06-25 23:17:18
Message-ID: 829fafb7-a3c9-9d01-d203-89cd78862e96 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 25/06/2018 3:12 AM, Paul Wouters wrote:
Thanks for the most helpful reply Paul
> On Sun, 24 Jun 2018, Lindsay Mathieson wrote:
>
>> Trying to get a subnet<->subnet vpn between work and my home Archer
>> D9 router
>
> So I assume this goes across the internet?
Yup.
>
>> Work Internet : TPLink ER-5120 ADSL2+
>> - Static public ip on mycompany.com.au
>> - Internal subnet 192.168.5.0/24
>> - DMZ to Ubuntu server on 192.168.5.52
>>
>> Home Internet:
>> - xDSL, Dynamic IP
>
> You want left=%defaultroute to pickup your dynamic IP.
>
>> leftsourceip=x.x.x.x
>> right=192.168.5.52
>
> You want right=mycompany.com.au (or if it is a static IP put that in)
>
>> ike=3des-md5;modp1024
>> phase2alg=3des-md5;modp1024
>
> Really should modernize these. Easiest is just leave out these two lines
> and it will pick much better algorithms, like AES_GCM.
I did all those, but I still got the "no connection has been authorized
with policy PSK+IKEV1_ALLOW" error :)
I ended up giving vpnscript a try
(https://github.com/hwdsl2/setup-ipsec-vpn)
it downgraded my libreswan version from 3.23 to 3.22 and generate a conf
that sort of worked for me. I was able to connect to work using my
windows 10 vpn client and access all the work ip's. My router (Archer
D9) connected successfully as well but I was only able to access the
vpnserver ip (192.168.5.52). I need site wide access via the router so
my VOIP phone can connect etc.
To clarify the Setup:
Home:
* PC, Phone => Router (Archer D9) => dynamic IP => Internet
* 192.168.1.0/24
Work:
* LibreSWAN VPN Server => Router => Static IP => Internet
o NAT'd
o DMZ
* 192.168.5.0/24
Current semi-working config:
config setup
protostack=netkey
conn shared
left=192.168.5.52
right=%any
authby=secret
pfs=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
sha2-truncbug=yes
conn lindsay
type=tunnel
keyexchange = ike
leftsubnet=192.168.5.0/24
rightsubnet=192.168.1.0/24
auto=add
also=shared
The ipsec barf logs for connectioning via my router and connecting via
the Win 10 VPN Client. I bolded what seems to be the crucial difference.
Archer D9 Router - can only access the VPN server
Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#1: responding to Main Mode from unknown peer 121.200.15.209 on port 500
Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#1: Peer ID is ID_IPV4_ADDR: '121.200.15.209'
Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#1:*the peer proposed: 192.168.5.0/24:0/0 -> 192.168.1.0/24:0/0*
Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#2: responding to Quick Mode proposal {msgid:ca4007d5}
Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#2: us: 192.168.5.0/24===192.168.5.52<192.168.5.52>
Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#2: them: 121.200.15.209===192.168.1.0/24
Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2 tunnel mode {ESP=>0x0cf4a7f6 <0x658875c9
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1] 121.200.15.209
#2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x0cf4a7f6 <0x658875c9 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=none NATD=none DPD=active}
+ _________________________ date
MS Win 10 VPn Client - can access entire work subnet
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1] 121.200.15.209
#1: responding to Main Mode from unknown peer 121.200.15.209 on port 1
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1] 121.200.15.209
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1] 121.200.15.209
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1] 121.200.15.209
#1: Peer ID is ID_IPV4_ADDR: '192.168.1.108'
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1] 121.200.15.209
#1: switched from "lindsay"[1] 121.200.15.209 to "lindsay"
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#1: deleting connection "lindsay"[1] 121.200.15.209 instance with
peer 121.200.15.209 {isakmp=#0/ipsec=#0}
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#1: Peer ID is ID_IPV4_ADDR: '192.168.1.108'
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_256 integ=sha group=DH20}
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#1: Configured DPD (RFC 3706) support not enabled because remote
peer did not advertise DPD support
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#1: *the peer proposed: 203.206.171.213/32:0/0 -> 192.168.1.108/32:0/0*
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#1: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#2: responding to Quick Mode proposal {msgid:01000000}
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#2: us: 192.168.5.0/24===192.168.5.52<192.168.5.52>
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#2: them: 121.200.15.209[192.168.1.108]===192.168.1.0/24
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2 tunnel mode {ESP/NAT=>0x1d018784 <0xcfc05dd4
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.108
NATD=121.200.15.209:4500 DPD=active}
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#2: Configured DPD (RFC 3706) support not enabled because remote
peer did not advertise DPD support
Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2] 121.200.15.209
#2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP/NAT=>0x1d018784 <0xcfc05dd4 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.1.108 NATD=121.200.15.209:4500 DPD=active}
Any suggestions as to how I can expand the router connection to the
entire work subnet?
Thanks.
--
Lindsay
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 25/06/2018 3:12 AM, Paul Wouters
wrote:<br>
<br>
Thanks for the most helpful reply Paul<br>
<br>
</div>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1806241308330.28611@bofh.nohats.ca">On
Sun, 24 Jun 2018, Lindsay Mathieson wrote:
<br>
<br>
<blockquote type="cite">Trying to get a subnet<->subnet vpn
between work and my home Archer D9 router
<br>
</blockquote>
<br>
So I assume this goes across the internet?
<br>
</blockquote>
<br>
Yup.<br>
<br>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1806241308330.28611@bofh.nohats.ca">
<br>
<blockquote type="cite">Work Internet : TPLink ER-5120 ADSL2+
<br>
- Static public ip on mycompany.com.au
<br>
- Internal subnet 192.168.5.0/24
<br>
- DMZ to Ubuntu server on 192.168.5.52
<br>
<br>
Home Internet:
<br>
- xDSL, Dynamic IP
<br>
</blockquote>
<br>
You want left=%defaultroute to pickup your dynamic IP.
<br>
<br>
<blockquote type="cite"> leftsourceip=x.x.x.x
<br>
right=192.168.5.52
<br>
</blockquote>
<br>
You want right=mycompany.com.au (or if it is a static IP put that
in)
<br>
<br>
<blockquote type="cite"> ike=3des-md5;modp1024
<br>
phase2alg=3des-md5;modp1024
<br>
</blockquote>
<br>
Really should modernize these. Easiest is just leave out these two
lines
<br>
and it will pick much better algorithms, like AES_GCM.
<br>
</blockquote>
<br>
I did all those, but I still got the "no connection has been
authorized with policy PSK+IKEV1_ALLOW" error :)<br>
<br>
I ended up giving vpnscript a try
(<a class="moz-txt-link-freetext" \
href="https://github.com/hwdsl2/setup-ipsec-vpn">https://github.com/hwdsl2/setup-ipsec-vpn</a>)<br>
<br>
it downgraded my libreswan version from 3.23 to 3.22 and generate a
conf that sort of worked for me. I was able to connect to work using
my windows 10 vpn client and access all the work ip's. My router
(Archer D9) connected successfully as well but I was only able to
access the vpnserver ip (192.168.5.52). I need site wide access via
the router so my VOIP phone can connect etc.<br>
<br>
To clarify the Setup:<br>
Home:<br>
<ul>
<li>PC, Phone => Router (Archer D9) => dynamic IP =>
Internet</li>
<li>192.168.1.0/24<br>
</li>
</ul>
<p>Work:</p>
<ul>
<li>LibreSWAN VPN Server => Router => Static IP =>
Internet</li>
<ul>
<li>NAT'd</li>
<li>DMZ<br>
</li>
</ul>
<li>192.168.5.0/24<br>
</li>
</ul>
<br>
Current semi-working config:<br>
<blockquote><tt>config setup</tt><tt><br>
</tt><tt> protostack=netkey</tt><tt><br>
</tt><tt><br>
</tt><tt>conn shared</tt><tt><br>
</tt><tt> left=192.168.5.52</tt><tt><br>
</tt><tt> right=%any</tt><tt><br>
</tt><tt> authby=secret</tt><tt><br>
</tt><tt> pfs=no</tt><tt><br>
</tt><tt> keyingtries=5</tt><tt><br>
</tt><tt> dpddelay=30</tt><tt><br>
</tt><tt> dpdtimeout=120</tt><tt><br>
</tt><tt> dpdaction=clear</tt><tt><br>
</tt><tt> sha2-truncbug=yes</tt><tt><br>
</tt><tt><br>
</tt><tt>conn lindsay</tt><tt><br>
</tt><tt> type=tunnel</tt><tt><br>
</tt><tt> keyexchange = ike</tt><tt><br>
</tt><tt> leftsubnet=192.168.5.0/24</tt><tt><br>
</tt><tt> rightsubnet=192.168.1.0/24</tt><tt><br>
</tt><tt> auto=add</tt><tt><br>
</tt><tt> also=shared</tt><br>
</blockquote>
<br>
<br>
The ipsec barf logs for connectioning via my router and connecting
via the Win 10 VPN Client. I bolded what seems to be the crucial
difference.<br>
<br>
Archer D9 Router - can only access the VPN server<br>
<blockquote><tt>Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #1: responding to Main Mode from unknown peer
121.200.15.209 on port 500</tt><br>
<tt>Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #1: STATE_MAIN_R1: sent MR1, expecting MI2</tt><br>
<tt>Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #1: STATE_MAIN_R2: sent MR2, expecting MI3</tt><br>
<tt>Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #1: Peer ID is ID_IPV4_ADDR: '121.200.15.209'</tt><br>
<tt>Jun 25 21:09:06 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=PRESHARED_KEY cipher=aes_256 integ=sha
group=MODP2048}</tt><br>
<tt>Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #1:<b> the peer proposed: 192.168.5.0/24:0/0
-> 192.168.1.0/24:0/0</b></tt><br>
<tt>Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #2: responding to Quick Mode proposal
{msgid:ca4007d5}</tt><br>
<tt>Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #2: us:
192.168.5.0/24===192.168.5.52<192.168.5.52></tt><br>
<tt>Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #2: them: 121.200.15.209===192.168.1.0/24</tt><br>
<tt>Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2 tunnel mode {ESP=>0x0cf4a7f6
<0x658875c9 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none
NATD=none DPD=active}</tt><br>
<tt>Jun 25 21:09:07 vpnserver pluto[1976]: "lindsay"[1]
121.200.15.209 #2: STATE_QUICK_R2: IPsec SA established tunnel
mode {ESP=>0x0cf4a7f6 <0x658875c9
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}</tt><br>
<tt>+ _________________________ date</tt><br>
</blockquote>
<br>
<br>
MS Win 10 VPn Client - can access entire work subnet<br>
<blockquote><tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1]
121.200.15.209 #1: responding to Main Mode from unknown peer
121.200.15.209 on port 1</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1]
121.200.15.209 #1: STATE_MAIN_R1: sent MR1, expecting MI2</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1]
121.200.15.209 #1: STATE_MAIN_R2: sent MR2, expecting MI3</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1]
121.200.15.209 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.108'</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[1]
121.200.15.209 #1: switched from "lindsay"[1] 121.200.15.209 to
"lindsay"</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #1: deleting connection "lindsay"[1]
121.200.15.209 instance with peer 121.200.15.209
{isakmp=#0/ipsec=#0}</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.108'</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=PRESHARED_KEY cipher=aes_256 integ=sha
group=DH20}</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #1: Configured DPD (RFC 3706) support not enabled
because remote peer did not advertise DPD support</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #1: <b>the peer proposed: 203.206.171.213/32:0/0
-> 192.168.1.108/32:0/0</b></tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #1: NAT-Traversal: received 2 NAT-OA. Using
first, ignoring others</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #2: responding to Quick Mode proposal
{msgid:01000000}</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #2: us:
192.168.5.0/24===192.168.5.52<192.168.5.52></tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #2: them:
121.200.15.209[192.168.1.108]===192.168.1.0/24</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2 tunnel mode {ESP/NAT=>0x1d018784
<0xcfc05dd4 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.108
NATD=121.200.15.209:4500 DPD=active}</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #2: Configured DPD (RFC 3706) support not enabled
because remote peer did not advertise DPD support</tt><br>
<tt>Jun 25 21:11:25 vpnserver pluto[3180]: "lindsay"[2]
121.200.15.209 #2: STATE_QUICK_R2: IPsec SA established tunnel
mode {ESP/NAT=>0x1d018784 <0xcfc05dd4
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.108
NATD=121.200.15.209:4500 DPD=active}</tt><br>
<br>
</blockquote>
<br>
<br>
Any suggestions as to how I can expand the router connection to the
entire work subnet?<br>
<br>
Thanks.<br>
<pre class="moz-signature" cols="72">--
Lindsay</pre>
</body>
</html>
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic