[Swan] Selecting incorrect conn ID for incoming IKEv2 connection

Ian Dobson ird at oob.id.au
Tue Jun 11 10:39:01 UTC 2019 

I'm experiencing an issue setting up a VPN gateway server box
(cgw.oob.id.au) which accepts IKEv2 connections for both (a) roadwarriors
and (b) a tunnel to a specific server (vpn.oob.id.au) acting as a general
router device.

On the VPN gateway box there are two connections defined, for roadwarriors
and the router box, as follows:

conn rw
        type=tunnel
        ikev2=insist
        authby=rsasig
        narrowing=yes
        pfs=no
        fragmentation=yes
        mobike=yes
        rekey=no

        dpddelay=30
        dpdtimeout=90
        dpdaction=clear

        left=cgw.oob.id.au
        leftrsasigkey=%cert
        leftcert=cgw
        leftsendcert=always
        leftid=%fromcert
        leftsubnet=172.21.0.0/21
        leftsourceip=172.21.5.1

        right=%any
        rightrsasigkey=%cert
        rightid=%fromcert
        rightca=%same
        rightaddresspool=172.21.5.16-172.21.5.254

        auto=add


conn vpn
        type=tunnel
        ikev2=insist
        pfs=yes
        fragmentation=yes
        mobike=no

        left=vpn.oob.id.au
        leftrsasigkey=%cert
        leftid=@vpn.oob.id.au
        leftca=%same
        leftsubnet=172.21.0.0/23
        leftsourceip=172.21.1.1

        right=cgw.oob.id.au
        rightrsasigkey=%cert
        rightcert=cgw
        rightid=%fromcert
        rightsubnet=172.21.5.0/24
        rightsourceip=172.21.5.1

        auto=add


The problem I am experiencing is that when the server box connects,
libreswan first selects the vpn connection then switches to rw (and
subsequently fails as expected). Log:

  pluto[9526]: "vpn" #1: STATE_PARENT_R1: received v2I1, sent v2R1
{auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048}

  pluto[9526]: "vpn" #1: certificate verified OK:
  CN=vpn.oob.id.au,O=OOB,L=Surrey Hills,ST=Victoria,C=AU

  pluto[9526]: "vpn" #1: switched from "oob_linode" to "rw"

  pluto[9526]: "rw"[1] 144.132.43.20 #1: certificate verified OK:
  CN=vpn.oob.id.au,O=OOB,L=Surrey Hills,ST=Victoria,C=AU

  pluto[9526]: "rw"[1] 144.132.43.20 #1: IKEv2 mode peer ID is
  ID_DER_ASN1_DN: 'C=AU, ST=Victoria, L=Surrey Hills, O=OOB,
  CN=vpn.oob.id.au'

  pluto[9526]: "rw"[1] 144.132.43.20 #1: Authenticated using RSA




I have found a work-around: by modifying the 'conn vpn' section:

  replace
        leftid=@vpn.oob.id.au
  with
        leftid="C=AU, ST=Victoria, L=Surrey Hills, O=OOB,
CN=vpn.oob.id.au"

everything seems to work.


But I don't understand why this is necessary, as the vpn.oob.id.au
certificate has CN "vpn.oob.id.au" and X509v3 SAN "DNS:vpn.oob.id.au".
None of the documentation & examples I have seen references a need to
quote the full Subject in the leftid.

Running libreswan 3.2.5 (release 4.1.e17_6 EPEL package on Centos 7)

Thanks
Ian

More information about the Swan mailing list