[Swan] Connection Matching Based on Certificate ID
Greg Langford
greg at langford.me
Mon Sep 9 07:02:39 UTC 2019
Thanks Paul, I shall take your advice and give it a go.
Much appreciated.
Kind Regards
On Thu, 5 Sep 2019 at 22:02, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 5 Sep 2019, Greg Langford wrote:
>
> > My tunnel to my Mikrotik Router establishes without issue, I can send
> traffic over the tunnel both directions. However when I try and connect my
> road warrior via any
> > connectivity method be that cellular or wifi. The connection is matching
> the first found configuration in Libreswan which is incorrect. The host to
> host configuration does
> > not use xauth, however my Android VPN client does use xauth.
>
> The connection matching should "switch" the the right connection when
> more information becomes available. The first packet(s) do not contain
> the remote ID yet, so it is not always possible to match the right
> connection on the initial packet.
>
> > Is there a way to configure a connection e.g the site to site connection
> to only specifically serve requests from a certain ID or certificate?
>
> No because the first packet is just the DH key exchange and you will not
> have any IDs yet.
>
> > Is it possible to use two different server certificates on Libreswan
> with different CN's e.g vpn1.domain.com and road-warriors.domain.com to
> do this?
>
> Yes, and with IKEv2 that is often done for multi-tenant systems because
> with IKEv2 the remote client can send what it thinks the ID of the
> server is (The IDr payload, AKA the "me Tarzan, you Jane" mechanism)
>
> But note that:
> - Windows does not support IDr (big sigh)
> - Android does not support IKEv2 (big sigh, but you can install the
> strongswan android client for IKEv2)
>
> When using IKEv1 because of android, be sure to use Aggressive Mod
> (aggressive=yes) so that the IDs come in more quickly and connection
> switching can happen. That usually also means using XAUTH.
>
> We have configuration examples on the libreswan wiki
>
> Paul
> >
> > I have been trying various configurations but the road warriors are
> always matching mikrotik-home not road-warriors.
> >
> > Thank you in advance for your help.
> >
> > My two configurations are as follows.
> >
> > conn mikrotik-home
> > left=%defaultroute
> > leftsubnet=10.200.200.1/32
> > leftsourceip=10.200.200.1
> > leftcert=<server cert name>
> > right=%any
> > rightsubnet=10.200.200.2/32
> > rightid=@<id sent by mikrotik>
> > ike=aes128-sha1;modp1024
> > dpddelay=5
> > dpdtimeout=15
> > dpdaction=clear
> > auto=add
> >
> > conn road-warriors
> > left=176.58.106.154
> > leftcert=<server cert name>
> > leftsendcert=always
> > leftsubnet=0.0.0.0/0
> > rightaddresspool=10.20.30.1-10.20.30.254
> > right=%any
> > modecfgdns=8.8.8.8,8.8.4.4
> > # Versions up to 3.22 used modecfgdns1 and modecfgdns2
> > #modecfgdns1=193.110.157.123
> > #modecfgdns2=8.8.8.8
> > leftxauthserver=yes
> > rightxauthclient=yes
> > leftmodecfgserver=yes
> > rightmodecfgclient=yes
> > modecfgpull=yes
> > xauthby=alwaysok
> > ike-frag=yes
> > # xauthby=pam
> > # xauthfail=soft
> > # Can be played with below
> > # dpddelay=30
> > # dpdtimeout=120
> > # dpdaction=clear
> > #authby=rsasig
> > pfs=no
> > auto=add
> > rekey=no
> >
> > Kind Regards,
> > Greg Langford
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190909/bf559a81/attachment.html>
More information about the Swan
mailing list