[Swan] Selecting incorrect conn ID for incoming IKEv2 connection
Ian Dobson
ird at oob.id.au
Tue Jun 11 10:39:01 UTC 2019
I'm experiencing an issue setting up a VPN gateway server box
(cgw.oob.id.au) which accepts IKEv2 connections for both (a) roadwarriors
and (b) a tunnel to a specific server (vpn.oob.id.au) acting as a general
router device.
On the VPN gateway box there are two connections defined, for roadwarriors
and the router box, as follows:
conn rw
type=tunnel
ikev2=insist
authby=rsasig
narrowing=yes
pfs=no
fragmentation=yes
mobike=yes
rekey=no
dpddelay=30
dpdtimeout=90
dpdaction=clear
left=cgw.oob.id.au
leftrsasigkey=%cert
leftcert=cgw
leftsendcert=always
leftid=%fromcert
leftsubnet=172.21.0.0/21
leftsourceip=172.21.5.1
right=%any
rightrsasigkey=%cert
rightid=%fromcert
rightca=%same
rightaddresspool=172.21.5.16-172.21.5.254
auto=add
conn vpn
type=tunnel
ikev2=insist
pfs=yes
fragmentation=yes
mobike=no
left=vpn.oob.id.au
leftrsasigkey=%cert
leftid=@vpn.oob.id.au
leftca=%same
leftsubnet=172.21.0.0/23
leftsourceip=172.21.1.1
right=cgw.oob.id.au
rightrsasigkey=%cert
rightcert=cgw
rightid=%fromcert
rightsubnet=172.21.5.0/24
rightsourceip=172.21.5.1
auto=add
The problem I am experiencing is that when the server box connects,
libreswan first selects the vpn connection then switches to rw (and
subsequently fails as expected). Log:
pluto[9526]: "vpn" #1: STATE_PARENT_R1: received v2I1, sent v2R1
{auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048}
pluto[9526]: "vpn" #1: certificate verified OK:
CN=vpn.oob.id.au,O=OOB,L=Surrey Hills,ST=Victoria,C=AU
pluto[9526]: "vpn" #1: switched from "oob_linode" to "rw"
pluto[9526]: "rw"[1] 144.132.43.20 #1: certificate verified OK:
CN=vpn.oob.id.au,O=OOB,L=Surrey Hills,ST=Victoria,C=AU
pluto[9526]: "rw"[1] 144.132.43.20 #1: IKEv2 mode peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Victoria, L=Surrey Hills, O=OOB,
CN=vpn.oob.id.au'
pluto[9526]: "rw"[1] 144.132.43.20 #1: Authenticated using RSA
I have found a work-around: by modifying the 'conn vpn' section:
replace
leftid=@vpn.oob.id.au
with
leftid="C=AU, ST=Victoria, L=Surrey Hills, O=OOB,
CN=vpn.oob.id.au"
everything seems to work.
But I don't understand why this is necessary, as the vpn.oob.id.au
certificate has CN "vpn.oob.id.au" and X509v3 SAN "DNS:vpn.oob.id.au".
None of the documentation & examples I have seen references a need to
quote the full Subject in the leftid.
Running libreswan 3.2.5 (release 4.1.e17_6 EPEL package on Centos 7)
Thanks
Ian
More information about the Swan
mailing list