[Swan] Connection Matching Based on Certificate ID

Greg Langford greg at langford.me
Mon Sep 9 07:02:39 UTC 2019 

Thanks Paul, I shall take your advice and give it a go.

Much appreciated.

Kind Regards

On Thu, 5 Sep 2019 at 22:02, Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 5 Sep 2019, Greg Langford wrote:
>
> > My tunnel to my Mikrotik Router establishes without issue, I can send
> traffic over the tunnel both directions. However when I try and connect my
> road warrior via any
> > connectivity method be that cellular or wifi. The connection is matching
> the first found configuration in Libreswan which is incorrect. The host to
> host configuration does
> > not use xauth, however my Android VPN client does use xauth.
>
> The connection matching should "switch" the the right connection when
> more information becomes available. The first packet(s) do not contain
> the remote ID yet, so it is not always possible to match the right
> connection on the initial packet.
>
> > Is there a way to configure a connection e.g the site to site connection
> to only specifically serve requests from a certain ID or certificate?
>
> No because the first packet is just the DH key exchange and you will not
> have any IDs yet.
>
> > Is it possible to use two different server certificates on Libreswan
> with different CN's e.g vpn1.domain.com and road-warriors.domain.com to
> do this?
>
> Yes, and with IKEv2 that is often done for multi-tenant systems because
> with IKEv2 the remote client can send what it thinks the ID of the
> server is (The IDr payload, AKA the "me Tarzan, you Jane" mechanism)
>
> But note that:
> - Windows does not support IDr (big sigh)
> - Android does not support IKEv2 (big sigh, but you can install the
>    strongswan android client for IKEv2)
>
> When using IKEv1 because of android, be sure to use Aggressive Mod
> (aggressive=yes) so that the IDs come in more quickly and connection
> switching can happen. That usually also means using XAUTH.
>
> We have configuration examples on the libreswan wiki
>
> Paul
> >
> > I have been trying various configurations but the road warriors are
> always matching mikrotik-home not road-warriors.
> >
> > Thank you in advance for your help.
> >
> > My two configurations are as follows.
> >
> > conn mikrotik-home
> > left=%defaultroute
> > leftsubnet=10.200.200.1/32
> > leftsourceip=10.200.200.1
> > leftcert=<server cert name>
> > right=%any
> > rightsubnet=10.200.200.2/32
> > rightid=@<id sent by mikrotik>
> > ike=aes128-sha1;modp1024
> > dpddelay=5
> > dpdtimeout=15
> > dpdaction=clear
> > auto=add
> >
> > conn road-warriors
> >     left=176.58.106.154
> >     leftcert=<server cert name>
> >     leftsendcert=always
> >     leftsubnet=0.0.0.0/0
> >     rightaddresspool=10.20.30.1-10.20.30.254
> >     right=%any
> >     modecfgdns=8.8.8.8,8.8.4.4
> >     # Versions up to 3.22 used modecfgdns1 and modecfgdns2
> >     #modecfgdns1=193.110.157.123
> >     #modecfgdns2=8.8.8.8
> >     leftxauthserver=yes
> >     rightxauthclient=yes
> >     leftmodecfgserver=yes
> >     rightmodecfgclient=yes
> >     modecfgpull=yes
> >     xauthby=alwaysok
> >     ike-frag=yes
> >     # xauthby=pam
> >     # xauthfail=soft
> >     # Can be played with below
> >     # dpddelay=30
> >     # dpdtimeout=120
> >     # dpdaction=clear
> >     #authby=rsasig
> >     pfs=no
> >     auto=add
> >     rekey=no
> >
> > Kind Regards,
> > Greg Langford
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190909/bf559a81/attachment.html>

More information about the Swan mailing list