[Swan] Multiple conn sections with different authby

Rian Aldridge rian at zeplin.io
Mon Mar 9 19:23:01 UTC 2020

Unfortunately the reason for moving to libreswan was it's availability in
stock AWS Linux2, currently version 3.25. Best I can find in a Centos Repo
is 3.29 - looks like even if I get this working it'll be unsupported for a
long time, so not really an option for a business usage.

The site2sites (ie PSK) are static and their IP is added to the conf
section (AWS %localhost and rightip=, but the remote ends are
turnkey devices so I cannot make them add an IDr payload. The
roadwarriors are Mac native VPN clients so even less opportunity to do
anything else.

Any clever trick that might work in the 3.25 server version? I tried
setting PSK to IKEv1 and certs to ikev2 which surprisingly worked for
concurrent connections for about 5 minutes before crashing and burning and
needing the AWS server to be soft rebooted so who knows what happened

On Mon, Mar 9, 2020 at 11:01 AM Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 5 Mar 2020, Rian Aldridge wrote:
> > I'm recently coming to libreswan with configs from strongswan, and
> whilst I have almost everything working, I'm running into an
> > issue where I have two conn sections for inbound connections, but with
> different authby= mechanisms.
> > I cannot find an example on the web of any config files that do this in
> libreswan, so please let me know if it's just not
> > possible!
> >
> > The connection from the PSK host will attempt ike2 with the first
> connection only (certhosts), fails on the phase1 negotiation
> > and returns NO_PROPOSAL_CHOSEN rather than trying 'pskhost'. If I add
> the ike ciphers to it, then phase1 completes but it insists
> > on a cert authby and returns AUTHENTICATION_FAILED rather than trying
> the next conn. In strongswan this config would
> > automatically select whichever conn it needed to to make the link come
> up. Turning off certhosts (auto=ignore) has pskhost pass
> > phase1 and 2 with PSK, as does changing the order of the conns in the
> file.
> Code for this has recently improved so please do retry with 3.31.
> If possible, the remote endpoints should send the IDr payload, and then
> we can switch to the right connection, provided you have different IDs
> for the conns as your connections below suggest you do.
> > I need both because I have site2sites on PSK, and roadwarriors on
> certificates. Neither remote end is libreswan, nor tweakable.
> > Any suggestions?
> If the site2sites are on static IPs, putting in the IPs would help. But
> if those are also configured with right=%any, it is a little harder.
> Let me know if 3.31 still has this problem for you?
> Paul
> > The (abbreviated) config is below. Setup for ip ranges etc skipped for
> brevity
> >
> > conn common
> >   ikev2=insist
> >   left=%defaultroute
> >
> > conn certhosts
> >   also=common
> >   ike=aes256-sha2;modp2048
> >   authby=rsasig
> >   leftcert=myX509
> >   leftid=@vpn.example.com
> >   right=%any
> >
> > conn pskhost
> >   also=common
> >   ike=aes128-sha1;modp2048
> >   authby=secret
> >   leftid=
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200309/2401d196/attachment.html>

More information about the Swan mailing list