Hello folks,
I’m trying to set up a vpn connection to my company network, but I have no direct support from the IT department as they don’t support personal Linux workstations.
First, the working part: I was able to easily set up the VPN connection from my Android phone. These are the parameters I used there:
- Type: IPSec Xauth PSK
- Server address: <SERVER_ADDRESS>
- IPsec identifier: <GROUP_NAME>
- IPsec pre-shared key: <SHARED_KEY>
- Username: <MY_USERNAME>
- Password: <MY_PASSWORD>
Following this guide I’ve created a new vpn connection on my Fedora workstation. I’m using KDE, which seems to not having GUI support for libreswan, but only openswan.
This is what I have on my main workstation:
$ nmcli -s c export OPENSWAN
conn OPENSWAN
aggrmode=yes
leftid=@<GROUP_NAME>
authby=secret
left=%defaultroute
leftmodecfgclient=yes
right=<SERVER_ADDRESS>
rightmodecfgserver=yes
modecfgpull=yes
rightsubnet=0.0.0.0/0
leftxauthclient=yes
leftusername=<MY_USERNAME>
remote-peer-type=cisco
rightxauthserver=yes
ike=aes256-sha1;modp1536
phase2alg=aes256-sha1
ikelifetime=24h
salifetime=24h
rekey=yes
keyingtries=1
ikev2=never
nm-configured=yes
auto=add
Unfortunately, that doesn’t work.
I’ve also tried with a Workstation-Live DVD under Gnome to set up a libreswan vpn, but it also fails.
However, I’m able to connect through a vpnc vpn:
$ nmcli -s c export VPNC
[main]
Description=VPNC
Host=<SERVER_ADDRESS>
AuthType=1
GroupName=<GROUP_NAME>
GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=<MY_USERNAME>
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=
DHGroup=2
ForceKeepAlives=0
enc_GroupPwd=
UserPassword=
enc_UserPassword=
NTDomain=<DOMAIN_NAME>
EnableMSLogon=0
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
PeerTimeout=0
EnableLocalLAN=1
SendCertChain=0
VerifyCertDN=
EnableSplitDNS=1
SingleDES=0
SPPhonebook=
X-NM-Use-NAT-T=1
X-NM-Force-NAT-T=0
X-NM-SaveGroupPassword=1
But then I’m unable to browse any resource, because the routing table is not populated correctly:
$ ip route
default via 192.168.1.1 dev enp4s0 proto static metric 100
5.x.x.x via 192.168.1.1 dev enp4s0 proto static metric 100
192.168.1.0/24 dev enp4s0 proto kernel scope link src 192.168.1.10 metric 100
192.168.1.1 dev enp4s0 proto static scope link metric 100
I don’t understand that route for 5.x.x.x host: it seems vpnc should automatically set up routes from the server upon connection, but that route certainly doesn’t work. But on the Android phone it works…
Obviously, if I manually add a route to 10.0.0.0/24 via tun0 after the vpnc vpn is estabilished, everything works correctly, but… why it doesn’t work without manual intervention?
Hopefully someone with better vpn knowledge can point me in the right direction.