[Swan] Connection Matching Based on Certificate ID

Paul Wouters paul at nohats.ca
Thu Sep 5 21:01:58 UTC 2019

On Thu, 5 Sep 2019, Greg Langford wrote:

> My tunnel to my Mikrotik Router establishes without issue, I can send traffic over the tunnel both directions. However when I try and connect my road warrior via any
> connectivity method be that cellular or wifi. The connection is matching the first found configuration in Libreswan which is incorrect. The host to host configuration does
> not use xauth, however my Android VPN client does use xauth.

The connection matching should "switch" the the right connection when
more information becomes available. The first packet(s) do not contain
the remote ID yet, so it is not always possible to match the right
connection on the initial packet.

> Is there a way to configure a connection e.g the site to site connection to only specifically serve requests from a certain ID or certificate?

No because the first packet is just the DH key exchange and you will not
have any IDs yet.

> Is it possible to use two different server certificates on Libreswan with different CN's e.g vpn1.domain.com and road-warriors.domain.com to do this?

Yes, and with IKEv2 that is often done for multi-tenant systems because
with IKEv2 the remote client can send what it thinks the ID of the 
server is (The IDr payload, AKA the "me Tarzan, you Jane" mechanism)

But note that:
- Windows does not support IDr (big sigh)
- Android does not support IKEv2 (big sigh, but you can install the
   strongswan android client for IKEv2)

When using IKEv1 because of android, be sure to use Aggressive Mod
(aggressive=yes) so that the IDs come in more quickly and connection
switching can happen. That usually also means using XAUTH.

We have configuration examples on the libreswan wiki

> I have been trying various configurations but the road warriors are always matching mikrotik-home not road-warriors.
> Thank you in advance for your help.
> My two configurations are as follows.
> conn mikrotik-home
> left=%defaultroute
> leftsubnet=
> leftsourceip=
> leftcert=<server cert name>
> right=%any
> rightsubnet=
> rightid=@<id sent by mikrotik>
> ike=aes128-sha1;modp1024
> dpddelay=5
> dpdtimeout=15
> dpdaction=clear
> auto=add
> conn road-warriors
>     left=
>     leftcert=<server cert name>
>     leftsendcert=always
>     leftsubnet=
>     rightaddresspool=
>     right=%any
>     modecfgdns=,
>     # Versions up to 3.22 used modecfgdns1 and modecfgdns2
>     #modecfgdns1=
>     #modecfgdns2=
>     leftxauthserver=yes
>     rightxauthclient=yes
>     leftmodecfgserver=yes
>     rightmodecfgclient=yes
>     modecfgpull=yes
>     xauthby=alwaysok
>     ike-frag=yes
>     # xauthby=pam
>     # xauthfail=soft
>     # Can be played with below
>     # dpddelay=30
>     # dpdtimeout=120
>     # dpdaction=clear
>     #authby=rsasig
>     pfs=no
>     auto=add
>     rekey=no
> Kind Regards,
> Greg Langford

More information about the Swan mailing list