[Swan] Connection Matching Based on Certificate ID
Greg Langford
greg at langford.me
Thu Sep 5 20:54:04 UTC 2019
Good Evening,
I am wondering if someone can help me or give me some guidance. I have been
configuring Libreswan to provide a host to host IPSEC between a Mikrotik
Router and it's self for running a GRE tunnel and OSPF. I am also
configuring Libreswan to serve mobile road warrior clients.
My tunnel to my Mikrotik Router establishes without issue, I can send
traffic over the tunnel both directions. However when I try and connect my
road warrior via any connectivity method be that cellular or wifi. The
connection is matching the first found configuration in Libreswan which is
incorrect. The host to host configuration does not use xauth, however my
Android VPN client does use xauth.
Is there a way to configure a connection e.g the site to site connection to
only specifically serve requests from a certain ID or certificate?
Is it possible to use two different server certificates on Libreswan with
different CN's e.g vpn1.domain.com and road-warriors.domain.com to do this?
I have been trying various configurations but the road warriors are always
matching mikrotik-home not road-warriors.
Thank you in advance for your help.
My two configurations are as follows.
conn mikrotik-home
left=%defaultroute
leftsubnet=10.200.200.1/32
leftsourceip=10.200.200.1
leftcert=<server cert name>
right=%any
rightsubnet=10.200.200.2/32
rightid=@<id sent by mikrotik>
ike=aes128-sha1;modp1024
dpddelay=5
dpdtimeout=15
dpdaction=clear
auto=add
conn road-warriors
left=176.58.106.154
leftcert=<server cert name>
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=10.20.30.1-10.20.30.254
right=%any
modecfgdns=8.8.8.8,8.8.4.4
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=193.110.157.123
#modecfgdns2=8.8.8.8
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=alwaysok
ike-frag=yes
# xauthby=pam
# xauthfail=soft
# Can be played with below
# dpddelay=30
# dpdtimeout=120
# dpdaction=clear
#authby=rsasig
pfs=no
auto=add
rekey=no
Kind Regards,
Greg Langford
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190905/ea85af7b/attachment-0001.html>
More information about the Swan
mailing list