I want to connect to a watchguard remote access vpn server. I got the following shrewsoft configuration file for that:
n:version:2
s:network-host:SERVER_IP
n:network-ike-port:500
s:client-auto-mode:pull
s:client-iface:virtual
n:client-addr-auto:1
n:network-mtu-size:1380
s:network-natt-mode:enable
n:network-natt-port:4500
n:network-natt-rate:20
s:network-frag-mode:disable
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:0
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
s:auth-method:mutual-psk-xauth
b:auth-mutual-psk:SECRET
s:ident-client-type:ufqdn
s:ident-client-data:USERID
s:ident-server-type:any
s:phase1-exchange:aggressive
s:phase1-cipher:aes
n:phase1-keylen:256
s:phase1-hash:sha2-256
n:phase1-dhgroup:14
n:phase1-life-secs:86400
n:vendor-chkpt-enable:0
s:phase2-transform:esp-aes
n:phase2-keylen:256
s:phase2-hmac:sha2-256
n:phase2-pfsgroup:14
n:phase2-life-secs:28800
n:phase2-life-kbytes:0
s:ipcomp-transform:disabled
s:policy-level:unique
n:policy-nailed:0
n:policy-list-auto:0
s:policy-list-include:192.168.170.89 / 255.255.255.255
This just works fine on windows, but on linux without GUI there is a known bug that traffic to the vpn won't get routed.
So I tried using Libreswan to connect, here is my config for that:
conn VPN
authby=secret
keyexchange=ike
ikev2=no
auto=add
aggressive=yes
fragmentation=no
ike=aes256-sha2;modp2048
phase2=esp
phase2alg=aes256-sha2;modp2048
right=SERVER_IP
left=%defaultroute
leftid=@USERNAME
rightid=%any
rightnexthop=%defaultroute
rightsubnet=192.168.170.89/32
leftmodecfgclient=yes
modecfgpull=yes
nat-keepalive=yes
leftxauthclient=yes
leftxauthusername=XAUTH_USER
rightxauthserver=yes
But I get the following error in phase1:
002 "VPN" #1: initiating IKEv1 Aggressive Mode connection
110 "VPN" #1: sent Aggressive Mode request
002 "VPN" #1: Peer ID is ID_IPV4_ADDR: 'NOT_SERVER_IP'
003 "VPN" #1: Peer ID 'NOT_SERVER_IP' mismatched on first found connection and no better connection found
003 "VPN" #1: initial Aggressive Mode packet claiming to be from SERVER_IP on SERVER_IP:500 but no connection has been authorized
218 "VPN" #1: sending notification INVALID_ID_INFORMATION to SERVER_IP:500
SERVER_IP refers to the vpn gateway IP and NOT_SERVER_IP refers to some "random" ipv4
As I said, this happens only with libreswan and not with shrewsoft. Is there any common configuration missing? I even captured the initial ISAKMP request from shrewsoft and libreswan, libreswan shrewsoft
really appreciate any help on this topic
I tried setting the rightip to the ip provided in the libreswan response, but than I get
received Hash Payload does not match computed value
223 "VPN" #1: sending notification INVALID_HASH_INFORMATION to SERVER_IP:500
Which should be a result of using the wrong id in the request