[Swan] Connection Matching Based on Certificate ID

Greg Langford greg at langford.me
Thu Sep 5 20:54:04 UTC 2019 

Good Evening,

I am wondering if someone can help me or give me some guidance. I have been
configuring Libreswan to provide a host to host IPSEC between a Mikrotik
Router and it's self for running a GRE tunnel and OSPF. I am also
configuring Libreswan to serve mobile road warrior clients.

My tunnel to my Mikrotik Router establishes without issue, I can send
traffic over the tunnel both directions. However when I try and connect my
road warrior via any connectivity method be that cellular or wifi. The
connection is matching the first found configuration in Libreswan which is
incorrect. The host to host configuration does not use xauth, however my
Android VPN client does use xauth.

Is there a way to configure a connection e.g the site to site connection to
only specifically serve requests from a certain ID or certificate?

Is it possible to use two different server certificates on Libreswan with
different CN's e.g vpn1.domain.com and road-warriors.domain.com to do this?

I have been trying various configurations but the road warriors are always
matching mikrotik-home not road-warriors.

Thank you in advance for your help.

My two configurations are as follows.

conn mikrotik-home
left=%defaultroute
leftsubnet=10.200.200.1/32
leftsourceip=10.200.200.1
leftcert=<server cert name>
right=%any
rightsubnet=10.200.200.2/32
rightid=@<id sent by mikrotik>
ike=aes128-sha1;modp1024
dpddelay=5
dpdtimeout=15
dpdaction=clear
auto=add

conn road-warriors
    left=176.58.106.154
    leftcert=<server cert name>
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    rightaddresspool=10.20.30.1-10.20.30.254
    right=%any
    modecfgdns=8.8.8.8,8.8.4.4
    # Versions up to 3.22 used modecfgdns1 and modecfgdns2
    #modecfgdns1=193.110.157.123
    #modecfgdns2=8.8.8.8
    leftxauthserver=yes
    rightxauthclient=yes
    leftmodecfgserver=yes
    rightmodecfgclient=yes
    modecfgpull=yes
    xauthby=alwaysok
    ike-frag=yes
    # xauthby=pam
    # xauthfail=soft
    # Can be played with below
    # dpddelay=30
    # dpdtimeout=120
    # dpdaction=clear
    #authby=rsasig
    pfs=no
    auto=add
    rekey=no

Kind Regards,
Greg Langford
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190905/ea85af7b/attachment-0001.html>

More information about the Swan mailing list