[Swan] Multiple conn sections with different authby

Paul Wouters paul at nohats.ca
Mon Mar 9 19:39:14 UTC 2020

On Mon, 9 Mar 2020, Rian Aldridge wrote:

> Unfortunately the reason for moving to libreswan was it's availability in stock AWS Linux2, currently version 3.25. Best I can
> find in a Centos Repo is 3.29 - looks like even if I get this working it'll be unsupported for a long time, so not really an
> option for a business usage.

We publish centos 6/7/8 binaries on download.libreswan.org

> The site2sites (ie PSK) are static and their IP is added to the conf section (AWS %localhost and rightip=, but the remote
> ends are turnkey devices so I cannot make them add an IDr payload.

Hmm ok.

> The roadwarriors are Mac native VPN clients so even less opportunity to do anything else.

If the Mac's are configured with the remote ID for VPN server set, they
will send IDR payloads.

> Any clever trick that might work in the 3.25 server version? I tried setting PSK to IKEv1 and certs to ikev2
> which surprisingly worked for concurrent connections for about 5 minutes before crashing and burning and needing the AWS server
> to be soft rebooted so who knows what happened there....

I wonder what happened there.....

You can try and change the ordering of the conns that will affect which
was is loaded first and tried first?


More information about the Swan mailing list