[Swan] Swan Digest, Vol 3, Issue 34

Pavel Kopchyk pkopchyk at gmail.com
Mon Mar 25 16:38:02 EET 2013


My test case is - Linux, Windows and Mac OS clients use certificates,
mobile clients (Android and IOS) use a PSK.

If I am connected from Linux or Windows system using a certificate,
then I can't connect with a PSK from Android or IOS.


Is it possible to implement this configuration?


version 2.0
config setup
	interfaces="%defaultroute"
	nat_traversal=yes
	protostack=mast
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.11.30.0/24
	klipsdebug=none
	plutodebug=none
	strictcrlpolicy=no
	uniqueids=yes
	nhelpers=0
	oe=no

conn %default
	sareftrack=yes
	overlapip=yes
	ikelifetime=8h
	keylife=1h
	keyingtries=3
	rekey=no
	pfs=no
	compress=no
	keyexchange=ike
	dpddelay=10
	dpdtimeout=90
	dpdaction=clear

conn L2TP-CERT
	type=transport
	authby=rsasig
	auth=esp
	left=12.X.X.X
	leftrsasigkey=%cert
	leftid=@vpn.test.com
	leftcert="vpn.test.com"
	leftprotoport=17/1701
	right=%any
	rightrsasigkey=%cert
	rightca=%same
	rightprotoport=17/%any
	rightsubnet=vhost:%priv,%no
	auto=add

conn L2TP-PSK
	type=transport
	authby=secret
	left=12.X.X.X
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/%any
	rightsubnet=vhost:%priv,%no
	auto=add


Pavel

2013/3/25 Paul Wouters <pwouters at redhat.com>:
> On Mon, 25 Mar 2013, Pavel Kopchyk wrote:
>
> If you change leftid/rightid to be different it will probably work.
>
> Other then testing/benchmarking, is there any valid reason for two
> endpoints to be configure as either RSA or PSK?
>
> Paul


More information about the Swan mailing list