[Swan] Multiple conn sections with different authby

Paul Wouters paul at nohats.ca
Mon Mar 9 18:01:26 UTC 2020

On Thu, 5 Mar 2020, Rian Aldridge wrote:

> I'm recently coming to libreswan with configs from strongswan, and whilst I have almost everything working, I'm running into an
> issue where I have two conn sections for inbound connections, but with different authby= mechanisms.
> I cannot find an example on the web of any config files that do this in libreswan, so please let me know if it's just not
> possible!
> The connection from the PSK host will attempt ike2 with the first connection only (certhosts), fails on the phase1 negotiation
> and returns NO_PROPOSAL_CHOSEN rather than trying 'pskhost'. If I add the ike ciphers to it, then phase1 completes but it insists
> on a cert authby and returns AUTHENTICATION_FAILED rather than trying the next conn. In strongswan this config would
> automatically select whichever conn it needed to to make the link come up. Turning off certhosts (auto=ignore) has pskhost pass
> phase1 and 2 with PSK, as does changing the order of the conns in the file.

Code for this has recently improved so please do retry with 3.31.

If possible, the remote endpoints should send the IDr payload, and then
we can switch to the right connection, provided you have different IDs
for the conns as your connections below suggest you do.

> I need both because I have site2sites on PSK, and roadwarriors on certificates. Neither remote end is libreswan, nor tweakable.
> Any suggestions?

If the site2sites are on static IPs, putting in the IPs would help. But
if those are also configured with right=%any, it is a little harder.

Let me know if 3.31 still has this problem for you?


> The (abbreviated) config is below. Setup for ip ranges etc skipped for brevity
> conn common
>   ikev2=insist
>   left=%defaultroute
> conn certhosts
>   also=common
>   ike=aes256-sha2;modp2048
>   authby=rsasig
>   leftcert=myX509
>   leftid=@vpn.example.com
>   right=%any
> conn pskhost
>   also=common
>   ike=aes128-sha1;modp2048
>   authby=secret
>   leftid=

More information about the Swan mailing list