strongswan: working ipsec.conf?

Discussion in 'Router' started by John Connett, Jan 2, 2017.

Tags:
  1. J

    John Connett New Member

    Does anyone have a strongswan ipsec.conf file that works with Perfect Privacy that they are willing to share?

    My longer term aim is to use strongswan on an OpenWrt router. As an intermediate step I am trying to use strongswan from behind that router. I already have Windows 10 Enterprise systems using VPN Manager with IPsec running successfully behind that router.

    I have used the ipsec.conf for carol from the strongswan "Test ikev2/rw-eap-mschapv2-id-rsa" as a starting point and am attempting to use this:
    Code:
    # /etc/ipsec.conf - strongSwan IPsec configuration file
    
    config setup
    
    conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
    
    conn perfect-privacy
        left=192.168.1.23
        leftfirewall=yes
        leftauth=eap
        eap_identity=carol
        right=london.perfect-privacy.com
        rightauth=pubkey
        rightid="C=CH, ST=Zug, O=Perfect Privacy, CN=Server_london.perfect-privacy.com"
        rightsubnet=%any
        auto=add
    
    Note that I have substituted "carol" with my actual Perfect Privacy username and used that and my password in /etc/ipsec.secrets. I also changed "left" to the IPv4 address of the particular Linx system.

    I have tried this with two differrent Linux systems:

    1. Ubuntu 16.10 (Yakkety Yax) / strongswan 5.3.5-1
    2. openSUSE Tumbleweed (VERSION="20161226) / strongswan 5.3.5-1.1
    Both fail with "IKE_AUTH response 1 [ N(AUTH_FAILED) ]" ...

    Any suggestions as to what I am doing wrong?
     
  2. J

    John Connett New Member

    Had a look with Microsoft Message Analyzer at the traffic for a working Windows 10 Enterprise connection. The connection was established with:
    1. Encryption Algorithm - ENCR_AES_CBC (256 bits)
    2. Integrity Algorithm - AUTH_HMAC_SHA2_256_128
    3. Pseudorandom Function - PRF_HMAC_SHA2_256
    4. Diffie-Hellman Group - 1024-bit MODP Group
    Added this to /etc/ipsec.conf to make this the only proposal:
    Code:
        ike=aes256-sha256-prfsha256-modp1024!
        esp=aes256-sha256-prfsha256-modp1024!
    Still fails with "IKE_AUTH response 1 [ N(AUTH_FAILED) ]" ...
     
  3. J

    John Connett New Member

    This /etc/ipsec.conf file mostly works:
    Code:
    # /etc/ipsec.conf - strongSwan IPsec configuration file
    
    config setup
    
    conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
    
    conn perfect-privacy
        ike=aes256-sha256-prfsha256-modp1024!
        esp=aes256-sha256-esn-noesn!
        left=%any
        leftsourceip=%config
        leftauth=eap
        eap_identity=carol
        right=london.perfect-privacy.com
        rightauth=pubkey
        rightsubnet=0.0.0.0/0,::/0
        auto=add
    
    Using it to access https://www.perfect-privacy.com/check-ip/ gives similar results to VPN Manager on Windows 10 Enterprise, except for You do not seem to have IPv6 connectivity.

    This configuration can probably be improved! Constructive criticism would be much appreciated, especially if you have more experience with strongswan.

    It would also be useful to know details of the VPN configuration used by VPN Manager on Windows. I found some details using the Get-VpnConnection PowerShell cmdlet:
    Code:
    PS C:\> Get-VpnConnection -Name "Perfect Privacy VPN" -AllUserConnection
    
    Name                  : Perfect Privacy VPN
    ServerAddress         : 82.199.130.34
    AllUserConnection     : True
    Guid                  : {11111111-2222-3333-4444-555555555555}
    TunnelType            : Ikev2
    AuthenticationMethod  : {Eap}
    EncryptionLevel       : Maximum
    L2tpIPsecAuth         :
    UseWinlogonCredential : False
    EapConfigXmlStream    : #document
    ConnectionStatus      : Disconnected
    RememberCredential    : False
    SplitTunneling        : False
    DnsSuffix             :
    IdleDisconnectSeconds : 86400
    
    PS C:\>
    However, I haven't yet found a way to find the rest of the details.
     
  4. J

    John Connett New Member

    Latest version. This appears to work for IPv6 as well.
    Code:
    # /etc/ipsec.conf - strongSwan IPsec configuration file
    
    config setup
    
    conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
    
    conn perfect-privacy
        ike=aes256-sha256-prfsha256-modp1024!
        esp=aes256-sha256-esn-noesn!
        left=%any
        leftsourceip=%config4,%config6
        leftauth=eap
        eap_identity=carol
        right=london.perfect-privacy.com
        rightauth=pubkey
        rightsubnet=0.0.0.0/0,::/0
        auto=add
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice