Paul:$1$YiVSo114$um2oIM6AqucFuMeXl/1ab0:xauth-psk An example of an /etc/ipsec.d/passwd file for the above example connection (using xauthby=file) would be: Additional third column specifying the connection name. The differences to htpasswd format is pluto uses standard crypt hashing which is same as /etc/shadow format so sha2_512 can be used. The format of this file is similar to the Apache htpasswd file, but the htpasswd command can not be used to create the file. If there are only a handful of users that need to be authenticated, xauthby=file can be used. This should not be used when using a PSK. In that case, xauthby=alwaysok can be used. If using X.509 certificates, which are issued to individual devices/users and which can be revoked, there is no real need to have an additional username/password layer. This is specified using the xauthby= option. Libreswan has three options for the user/password authentication. User/password authentication for XAUTH on the server If you want to use Main Mode your only choice is to delete the VPN profile and start one from scratch where you never touch the "Group Name" input box. IOS UserInterface bug: If you ever fill in the "Group Name" and then clear it - the connection remains using Aggressive Mode. When connecting to a Cisco with libreswan as a client, you will need to use and aggrmode=yes.
These values are best left unset when using libreswan as a server, so that Main Mode is used. With NetworkManager you can specify "String" or "". Unfortunately, iOS/OSX sends these as hex, which can be matched using but then it no longer works for Android. On the serverside, the Group Name is the value of the (the remote end, not the server end). When these are not blank, Aggressive Mode is used. When these fields are blank, Main Mode (preferred) is used. On iOS/OSX and NetworkManager this fiels is called "Group Name". On Android, this option is called "IPSec identifier". The difference between using the regular Main Mode or Aggressive Mode for the client is usually determined by whether or not the "Group Name" is set. This will automatically reconfigure your DNS if required, and configure the given IP address on your system. You can bring the connection up using the comnmand: ipsec auto -up xauth-psk When using PSK instead of RSA/certificates, you require the "GroupPSK" which is the XAUTH secret, and also need to use instead of using the ID of your certificate. REMOTESERVERNAME %any : PSK XAUTH "YourPassword"
You can also store your XAUTH password in /etc/crets if you do not use NetworkManager and if you're not using a one time token: # need to store the Group PSK into a secrets file (/etc/crets or your own /etc/ipsec.d/cret).
# Might also need _exact_ ike= and esp= lines # Commonly needed to talk to Cisco server There are some small differences with the above server configuration Iptables -t nat -A POSTROUTING -s 10.231.246.0/23 -o $INTERNET_INTERFACE -m policy -dir out -pol none -j MASQUERADE # Note: you should replace $INTERNET_INTERFACE with your internet facing interface. Assuming that your office servers behind this VPN server uses 10.231.246.0/24, you would add the following iptables rules
In this example, the IP pool is 10.231.247.0/24 so on the VPN server you would need to provide some NAT rules if you wish to offer full internet connectivity through the VPN. # If this is the only IP and only PSK based configuration, you can configure without hardcoding the IP:
# The first IP is the real IP address of the serverġ11.222.111.222 %any : PSK "ExampleSecret" The PSK needs to be stored in /etc/crets (or a separate file such as /etc/ipsec.d/crets) # xauthby=alwaysok MUST NOT be used with PSK # versions up to 3.22 used modecfgdns1 and modecfgdns2 # PSK clients can have the same ID if they send it based on IP address. # exclude networks used on server side by adding %v4:!a.b.c.0/24
This configuration example uses Main Mode and not Aggressive Mode, as it is more portable and you can use a single conn on the server for Android, iOS/OSX and Linux clients. The password can also contain a one time password (OTP) such as Google Authenticator XAUTH also requires a username and password. It is based on draft-ietf-ipsec-isakmp-xauth-06.
Microsoft Windows using a third party client such as the Cisco client, or the free Shrew Soft client.Linux with NetworkManager or commandline.4.2 User/password authentication for XAUTH on the server.