Unable to setup IPSec Xauth PSK vpn

mattia · October 31, 2021, 4:27pm

Hello folks,
I’m trying to set up a vpn connection to my company network, but I have no direct support from the IT department as they don’t support personal Linux workstations.

First, the working part: I was able to easily set up the VPN connection from my Android phone. These are the parameters I used there:

Type: IPSec Xauth PSK
Server address: <SERVER_ADDRESS>
IPsec identifier: <GROUP_NAME>
IPsec pre-shared key: <SHARED_KEY>
Username: <MY_USERNAME>
Password: <MY_PASSWORD>

Following this guide I’ve created a new vpn connection on my Fedora workstation. I’m using KDE, which seems to not having GUI support for libreswan, but only openswan.
This is what I have on my main workstation:

$ nmcli -s c export OPENSWAN
conn OPENSWAN
 aggrmode=yes
 leftid=@<GROUP_NAME>
 authby=secret
 left=%defaultroute
 leftmodecfgclient=yes
 right=<SERVER_ADDRESS>
 rightmodecfgserver=yes
 modecfgpull=yes
 rightsubnet=0.0.0.0/0
 leftxauthclient=yes
 leftusername=<MY_USERNAME>
 remote-peer-type=cisco
 rightxauthserver=yes
 ike=aes256-sha1;modp1536
 phase2alg=aes256-sha1
 ikelifetime=24h
 salifetime=24h
 rekey=yes
 keyingtries=1
 ikev2=never
 nm-configured=yes
 auto=add

Unfortunately, that doesn’t work.
I’ve also tried with a Workstation-Live DVD under Gnome to set up a libreswan vpn, but it also fails.

However, I’m able to connect through a vpnc vpn:

$ nmcli -s c export VPNC
[main]
Description=VPNC
Host=<SERVER_ADDRESS>
AuthType=1
GroupName=<GROUP_NAME>
GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=<MY_USERNAME>
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=
DHGroup=2
ForceKeepAlives=0
enc_GroupPwd=
UserPassword=
enc_UserPassword=
NTDomain=<DOMAIN_NAME>
EnableMSLogon=0
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
PeerTimeout=0
EnableLocalLAN=1
SendCertChain=0
VerifyCertDN=
EnableSplitDNS=1
SingleDES=0
SPPhonebook=
X-NM-Use-NAT-T=1
X-NM-Force-NAT-T=0
X-NM-SaveGroupPassword=1

But then I’m unable to browse any resource, because the routing table is not populated correctly:

$ ip route
default via 192.168.1.1 dev enp4s0 proto static metric 100 
5.x.x.x via 192.168.1.1 dev enp4s0 proto static metric 100 
192.168.1.0/24 dev enp4s0 proto kernel scope link src 192.168.1.10 metric 100 
192.168.1.1 dev enp4s0 proto static scope link metric 100

I don’t understand that route for 5.x.x.x host: it seems vpnc should automatically set up routes from the server upon connection, but that route certainly doesn’t work. But on the Android phone it works…
Obviously, if I manually add a route to 10.0.0.0/24 via tun0 after the vpnc vpn is estabilished, everything works correctly, but… why it doesn’t work without manual intervention?

Hopefully someone with better vpn knowledge can point me in the right direction.

ilikelinux · November 1, 2021, 3:39am

From your first example:

0.0.0.0/0 > means all networks and subnets, i don’t thinks it is possible on a VPN alias company network.

rightsubnet=10.0.0.0/24 did you test that?
So you restrict the broadcasting from 10.0.0.1 to 10.0.0.254.
10.0.0.0 is the network-address on /24 sub-nets and
10.0.0.255 would be the broadcasting address.

5.x.x.x is probably a default for an other type of devices? You said you took the info’s from your mobile device?

mattia · November 1, 2021, 10:46am

My first example refers to an openswan vpn created through NetworkManager-qt GUI. The 0.0.0.0/0 network is created as default and there’s no way to edit from the GUI. I could try to edit it from nmcli, but that openswan settings doesn’t authenticate at all, so the network settings is a later step.

The 5.x.x.x routing entry is created upon connection with the vpnc vpn. Reading vpnc man pages I understand that entry is automatically created fetching some configuration from the server by vpnc-script.

There’s no way to see the NetworkManager vpn configuration that my Android phone uses when I create the vpn using the parameters I mentioned in my first post. Accordingly to the guide at the link I posted in the first post, Android should be using a libreswan vpn when selecting IPSec Xauth PSK type.

mattia · December 7, 2021, 7:37pm

So, after some time I put some more efforts trying to solve my problem. I’ve discovered that I can’t, but I’ll report here my findings, in case someone else gets stuck with that.

First problem: Fedora doesn’t correctly detect the local IP address.
This is a sample default config created by network manager:

conn vpn
 aggrmode=yes
 leftid=@GROUPNAME
 authby=secret
 left=%defaultroute
 leftmodecfgclient=yes
 right=GATEWAY
 rightmodecfgserver=yes
 modecfgpull=yes
 rightsubnet=0.0.0.0/0
 leftxauthclient=yes
 leftusername=USERNAME
 remote-peer-type=cisco
 rightxauthserver=yes
 ike=aes256-sha1;modp1536
 phase2alg=aes256-sha1
 ikelifetime=24h
 salifetime=24h
 rekey=yes
 keyingtries=1
 ikev2=never
 nm-configured=yes
 auto=add

The left=%defaultroute directive is translated in left=0.0.0.0 which causes a failure in vpn initialization with the error we cannot identify ourselves with either end of this connection. <REMOTE_IP_ADDRESS> or 0.0.0.0 are not usable.
After manually editing the left property by setting it to my LAN IP address, things started to move forward a bit.

The second problem, which makes me unable to connect, is that the remote server still uses DH group 2 (which is ike=aes256-sha1;modp1024). Unfortunately, DH group 2 support has been removed in Fedora.

However, I was able to connect through the old vpnc vpn type, although the routing table isn’t correctly set up and I have to manually add the appropriate route every time I connect.

I hope these notes could be helpful if someone hits my same problems one day.