There is an organization for which I have to set up an IPsec tunnel.
This organization has an internal firewall.
And I have a VM that is located outside the organization on the Internet.
I have installed AlmaLinux 9 on the VM.
I have chosen "Libreswan" as my IPsec solution. The simplest one. Not "strongSwan", because that one is supposedly more complicated and not as well integrated into RHEL as "Libreswan".
I want my VM to dock to the firewall.
And we want to build a tunnel between inside and outside via IPsec.
I am personally supposed to arrange the VM that provides the entrance to the tunnel.
On the other side, that is, in the organization, the tunnel has already been built.
The person who manages the internal firewall and built the tunnel for inside has given me the following access data:
IKEv2 with Encryption AES256, Authentication SHA265 und Diffie Hellman Group 14.
IPSec with the same parameters.
With IKE, the organization has a lifetime of 28800 seconds, with IPSec one of 3600 seconds.
The organization uses a PreShared key that looks like this:
......../.......................
I have replaced the actual characters by dots.
One more detail: The VM outside and the firewall inside both only use IP addresses for IPsec, not host names or domain names.
The IP address of the VM is "a.a.a.a".
The IP address if the firewall is "b.b.b.b".
The subnet within the organization is "c.c.c.0/24".
My Libreswan config within the VM looks like this...
/etc/ipsec.d/your-vpn.conf:
conn your-vpn
authby=secret
auto=start
ikev2=insist
keyexchange=ike
ike=aes256-sha256;modp2048
phase2alg=aes256-sha256
salifetime=3600s
ikelifetime=28800s
pfs=yes
left=a.a.a.a
leftid=@a.a.a.a
leftsubnet=0.0.0.0/0
right=b.b.b.b
rightid=@b.b.b.b
rightsubnet=c.c.c.0/24
This configuration does not work.
There are various errors. And I first have to sort out which of the errors is the most important.
In the "ipsec.conf", I had set a "plutodebug=all" entry, which actually gives me more detailed debug info.
And the error that I have identified as probably the most important is this one:
"your-vpn" #1: dropping unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN notification; message payloads: N; missing payloads: SA,KE,Ni
I think the most important question I could ask here would be this:
If someone who already has experience with "Libreswan" had to set up such a tunnel, what configuration would they start with?
Is the configuration I have shown above a good idea? Or is there something about it that is already OBVIOUSLY wrong?
What about the IKE line?
Does it matter if I enter "ike=aes256-sha256;modp2048" or "ike=aes256-sha256;dh14"? Could that even make a difference?
I would be very happy to receive answers to my questions.
With best regards, user1143436
