[Swan] Selecting incorrect conn ID for incoming IKEv2 connection

Paul Wouters paul at nohats.ca
Tue Jun 11 18:26:55 UTC 2019

On Tue, 11 Jun 2019, Ian Dobson wrote:

> The problem I am experiencing is that when the server box connects,
> libreswan first selects the vpn connection then switches to rw (and
> subsequently fails as expected). Log:

That is odd. It should not switch unless the proposal coming in turns
out to no longer match properly during IKE_AUTH.

>  pluto[9526]: "vpn" #1: certificate verified OK:
>  CN=vpn.oob.id.au,O=OOB,L=Surrey Hills,ST=Victoria,C=AU
>  pluto[9526]: "vpn" #1: switched from "vpn" to "rw"

I'd be interested in seeing what is leading up to this with
plutodebug=all enabled.

> I have found a work-around: by modifying the 'conn vpn' section:
>  replace
>        leftid=@vpn.oob.id.au
>  with
>        leftid="C=AU, ST=Victoria, L=Surrey Hills, O=OOB,
> CN=vpn.oob.id.au"

By selecting a different ID, and the client sending an IDr that would
match that, it is easier to dinstinguish, so the workaround is good.
This is also how you would create a multi-tenant situation. But I'm
surprised you need it. Sure, both connections are using the same local
ID/cert, but one is using/expecting addresspool and CP requests, and te
other conn does not. So we should probably extend the connection
switching code to take more policy's into account. But before that
triggers, it is a bug that is is switching when there is no need to
switch. so please send me the logs. I'll also try to reproduce this.

> But I don't understand why this is necessary, as the vpn.oob.id.au
> certificate has CN "vpn.oob.id.au" and X509v3 SAN "DNS:vpn.oob.id.au".
> None of the documentation & examples I have seen references a need to
> quote the full Subject in the leftid.
> Running libreswan 3.2.5 (release 4.1.e17_6 EPEL package on Centos 7)

I guess you mean 3.25. It would be very good to first test it with 3.29
and see if that addresses your issue. The connectiong switching code
has changed since then for sure.

If providing logs, please use 3.28 or 3.29 so that I wouldnt need to
look at old code.


More information about the Swan mailing list