0

I am using libreswan on raspberry Pi OS 12 to connect to PFsense with /etc/ipsec.conf from an external network

config setup

conn %default
        #keyexchange=ikev1


conn peer-ipsec.xxx.de-tunnel-1
        left=%any
        leftid="xx.zapto.org"
        right=ipsec.xx.de
        rightid="%any"
        leftsubnet=10.130.117.0/24
        rightsubnet=10.128.0.0/16
        ike=aes128-sha256-modp2048
        #,aes128-sha256-modp2048!
        #keyexchange=ikev2
        reauth=no
        ikelifetime=28800s
        esp=aes128-sha256-modp2048
        #,aes128-sha256-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever

(out commented parts are not accepted by libreswan) After ĺoading secrets from /etc/ipsec.secrets (%any %any : PSK "...") I got:

interface endpoint [::1]:4500 does not match left(THIS) or right (THAT)
interface endpoint [::1]:500 does not match left(THIS) or right (THAT) 
interface endpoint [127.0.0.1]:4500 does not match left(THIS) or right (THAT) 
interface endpoint [127.0.0.1]:500 does not match left(THIS) or right (THAT) 
interface endpoint [192.168.2.117]:4500 does not match left(THIS) or right (THAT) 
interface endpoint [192.168.2.117]:500 does not match left(THIS) or right (THAT)

ip a -> 192.168.2.117

The same configuration with the out commented part are working on a EdgeRouter ER-X (ubiquity).

On pfsense:
Key Exchange version: IKEv2
InternetProtocol: IPv4
Remote Gateeway: xx.zapto.org
Authentication Method: Mutual PSK
My Identifier: My IP address
Peer identifier: Fully qualified domain name xx.zapto.org
Encryption Algorithm: AES 128 bit SHA256 DH Group 14 (I will improve this later)

Phase 2:
local network: Network 10.128.0.0/0
NAT: None
Remote Network: Network 10.130.117.0/24
Protocol: ESP
Encryption Algorithm: AES 128, AES12-GCM 128 SHA256 PFS key group 14

Improve this question
5
  • Are you 100% sure that this config (i.e. the left=%any) is what LibreSwan is seeing? (i.e. are you editing this on the correct machine, are you looking at logs on the correct machine, is your LibreSwan build compiled to use /etc and not /usr/local/etc)? You tagged this with [strongswan] – are you following strongSwan manuals or LibreSwan manuals? They have diverged a lot and migth not necessarily have the same config semantics (e.g. strongSwan no longer uses ipsec.conf at all). For that matter, have you considered using strongSwan?
    – grawity_u1686
    Commented Dec 5, 2023 at 14:39
  • sudo /usr/libexec/ipsec/pluto --version-> Libreswan 4.10 <br> sudo /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork -- debug-all` <br/> I am direct working on the machine so that I do not need a second network interface. I am following libreswan manuals. I also tried strongswan before - maybe I should try again?
    – LeifSec
    Commented Dec 5, 2023 at 14:53
  • strongswan uses /etc/ipsec.conf sudo ipsec start --nofork --debug-more ``` Loading conn 'p' 00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 6.1.0-rpi6-rpi-v7, armv7l) 00[CFG] PKCS11 module '<name>' lacks library path 00[PTS] TPM 2.0 - could not load 00[NET] using forecast interface eth0 00[CFG] loaded ca certificate "C=CH, O=ProtonVPN AG" loading secrets from '/etc/ipsec.secrets' loaded IKE secret for %any %any HA config misses local/remote address received stroke: add connection 'p' added configuration 'p' received stroke: route 'p' 'p' routed ```
    – LeifSec
    Commented Dec 5, 2023 at 16:53
  • I have made a new question about using StrongSwan.
    – LeifSec
    Commented Dec 7, 2023 at 8:31
  • Using StrongSwan it works. (auto = start)
    – LeifSec
    Commented Dec 7, 2023 at 12:18

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .