[Swan] Multiple conn sections with different authby
Rian Aldridge
rian at zeplin.io
Thu Mar 5 20:02:28 UTC 2020
I'm recently coming to libreswan with configs from strongswan, and whilst I
have almost everything working, I'm running into an issue where I have two
conn sections for inbound connections, but with different authby=
mechanisms.
I cannot find an example on the web of any config files that do this in
libreswan, so please let me know if it's just not possible!
The connection from the PSK host will attempt ike2 with the first
connection only (certhosts), fails on the phase1 negotiation and returns
NO_PROPOSAL_CHOSEN rather than trying 'pskhost'. If I add the ike ciphers
to it, then phase1 completes but it insists on a cert authby and returns
AUTHENTICATION_FAILED rather than trying the next conn. In strongswan this
config would automatically select whichever conn it needed to to make the
link come up. Turning off certhosts (auto=ignore) has pskhost pass phase1
and 2 with PSK, as does changing the order of the conns in the file.
I need both because I have site2sites on PSK, and roadwarriors on
certificates. Neither remote end is libreswan, nor tweakable. Any
suggestions?
The (abbreviated) config is below. Setup for ip ranges etc skipped for
brevity
conn common
ikev2=insist
left=%defaultroute
conn certhosts
also=common
ike=aes256-sha2;modp2048
authby=rsasig
leftcert=myX509
leftid=@vpn.example.com
right=%any
conn pskhost
also=common
ike=aes128-sha1;modp2048
authby=secret
leftid=1.2.3.4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200305/3c309b5d/attachment.html>
More information about the Swan
mailing list