[Swan-dev] Is it possible to have multiple roaming user to connect with one IPSec server using certificate in ikev2 mode for libreswan
Paul Wouters
paul at nohats.ca
Thu May 1 07:00:25 EEST 2014
On Wed, 30 Apr 2014, jeffchen wrote:
> I am trying to use certificate to connect multiple roaming user with one
> IPSec server (each side is running libreswan 3.8).
> It failed when I use ikev2 mode. If I use ikev1 mode (by removing the line
> ikev2=insist), it works fine.
>
> Below is my configuration. Is there anything wrong in the configuration to
> make it work in ikev2 mode? Thanks.
That should be possible yes.
> conn R2-R9
> authby=rsasig
> auto=add
> phase2=esp
> ikev2=insist
> left=192.168.22.2
> leftcert=R4
> leftid="C=CA, ST=Ontario, O=RuggedCom, CN=R4, E=R4 at example.com"
> leftnexthop=%defaultroute
> leftsubnet=192.168.21.0/24
> pfs=no
> right=%any
> rightid=%fromcert
> rightupdown="ipsec _updown --route yes"
> type=tunnel
perhaps add leftsendcert=always
> conn R2-R9
> connaddrfamily=ipv4
> authby=rsasig
> auto=start
> phase2=esp
> ikev2=insist
> left=192.168.22.2
> leftid="C=CA, ST=Ontario, O=RuggedCom, CN=R4, E=R4 at example.com"
> leftsubnet=192.168.21.0/24
> pfs=no
> right=192.168.34.9
> rightcert=R9
> rightid="C=CA, ST=Ontario, O=RuggedCom, CN=R9, E=R9 at example.com"
> rightnexthop=%defaultroute
> rightupdown="ipsec _updown --route yes"
> type=tunnel
>
> The tunnel is established successfully in ikev1 mode. But failed in ikev2
> mode. It gives the following error message in ikev2 mode:
> Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: no RSA public key known for '%fromcert'
That might be a bug in the IKEv2 code. Can you try adding
rightsendcert=always here and let me know if that makes a difference.
I'll do some testing regarding this issue and try to reproduce it.
Paul
More information about the Swan-dev
mailing list